CVEs from 2026
Total
14,170
critical
critical 1,106
high
high 3,897
medium
medium 3,929
low
low 413
% Critical
7.8%
% with KEV
0.4%
% with exploit
0.4%
Top products
- chrome 298
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- openclaw 166
- gcp 135
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-48027 | critical | 9.8 | 10.0 | 8h ago | Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvest… | |
| CVE-2026-48172 | critical | 9.8 | 10.0 | 7d ago | LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with ro… | |
| CVE-2026-9082 | critical | 9.8 | 10.0 | 7d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |
| CVE-2026-8398 | critical | 9.8 | 10.0 | 13d ago | Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. | |
| CVE-2026-20182 | critical | 10.0 | 10.0 | 13d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |
| CVE-2026-45321 | critical | 9.6 | 10.0 | 16d ago | Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys | |
| CVE-2026-42208 | critical | 9.8 | 10.0 | 20d ago | LiteLLM has SQL Injection in Proxy API key verification | |
| CVE-2026-0300 | critical | 9.8 | 10.0 | 21d ago | Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitra… | |
| CVE-2026-41940 | critical | 9.8 | 10.0 | 28d ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |
| CVE-2026-33017 | critical | 9.8 | 10.0 | 2mo ago | Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | |
| CVE-2026-24858 | critical | 9.8 | 10.0 | 4mo ago | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a register… | |
| CVE-2026-41091 | high | 7.8 | 9.3 | 7d ago | Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. | |
| CVE-2026-31431 | high | 7.8 | 9.3 | 24d ago | Important: kernel-rt security update | |
| CVE-2026-45498 | high | 7.5 | 9.0 | 7d ago | Microsoft Defender contains an unspecified vulnerability that allows for denial of service. | |
| CVE-2026-6973 | high | 7.2 | 8.7 | 20d ago | Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution. | |
| CVE-2026-34926 | medium | 6.7 | 8.2 | 6d ago | Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to depl… | |
| CVE-2026-42897 | medium | 6.1 | 7.6 | 13d ago | Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e… | |
| CVE-2026-32202 | medium | 4.3 | 5.8 | 1mo ago | Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-33825 | unknown | — | 1.5 | 1mo ago | Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. | |
| CVE-2026-20122 | unknown | — | 1.5 | 1mo ago | Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulne… | |
| CVE-2026-20133 | unknown | — | 1.5 | 1mo ago | Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems. | |
| CVE-2026-20128 | unknown | — | 1.5 | 1mo ago | Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential fil… | |
| CVE-2026-32201 | unknown | — | 1.5 | 1mo ago | Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-34621 | unknown | — | 1.5 | 2mo ago | Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution. | |
| CVE-2026-21643 | unknown | — | 1.5 | 2mo ago | Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |
| CVE-2026-39987 | unknown | — | 1.5 | 2mo ago | Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands. | |
| CVE-2026-1340 | unknown | — | 1.5 | 2mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. | |
| CVE-2026-34197 | unknown | — | 1.5 | 2mo ago | Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection. | |
| CVE-2026-35616 | unknown | — | 1.5 | 2mo ago | Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. | |
| CVE-2026-3502 | unknown | — | 1.5 | 2mo ago | TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the paylo… | |
| CVE-2026-5281 | unknown | — | 1.5 | 2mo ago | Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability … | |
| CVE-2026-3055 | unknown | — | 1.5 | 2mo ago | Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP lea… | |
| CVE-2026-33634 | unknown | — | 1.5 | 2mo ago | Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credenti… | |
| CVE-2026-20131 | unknown | — | 1.5 | 2mo ago | Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management… | |
| CVE-2026-20963 | unknown | — | 1.5 | 2mo ago | Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. | |
| CVE-2026-3909 | unknown | — | 1.5 | 3mo ago | Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome a… | |
| CVE-2026-3910 | unknown | — | 1.5 | 3mo ago | Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via … | |
| CVE-2026-1603 | unknown | — | 1.5 | 3mo ago | Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential … | |
| CVE-2026-21385 | unknown | — | 1.5 | 3mo ago | Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. | |
| CVE-2026-22719 | unknown | — | 1.5 | 3mo ago | Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potenti… | |
| CVE-2026-20127 | unknown | — | 1.5 | 3mo ago | Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, re… | |
| CVE-2026-25108 | unknown | — | 1.5 | 3mo ago | Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request. | |
| CVE-2026-22769 | unknown | — | 1.5 | 3mo ago | Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlyi… | |
| CVE-2026-2441 | unknown | — | 1.5 | 3mo ago | Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple… | |
| CVE-2026-1731 | unknown | — | 1.5 | 3mo ago | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute oper… | |
| CVE-2026-20700 | unknown | — | 1.5 | 4mo ago | Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capab… | |
| CVE-2026-21514 | unknown | — | 1.5 | 4mo ago | Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally. | |
| CVE-2026-21519 | unknown | — | 1.5 | 4mo ago | Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally. | |
| CVE-2026-21525 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. | |
| CVE-2026-21513 | unknown | — | 1.5 | 4mo ago | Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. | |
| CVE-2026-21533 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally. | |
| CVE-2026-21510 | unknown | — | 1.5 | 4mo ago | Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. | |
| CVE-2026-24423 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a mal… | |
| CVE-2026-1281 | unknown | — | 1.5 | 4mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. | |
| CVE-2026-23760 | unknown | — | 1.5 | 4mo ago | SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and… | |
| CVE-2026-21509 | unknown | — | 1.5 | 4mo ago | Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a sec… | |
| CVE-2026-24061 | unknown | — | 1.5 | 4mo ago | GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. | |
| CVE-2026-20045 | unknown | — | 1.5 | 4mo ago | Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unifie… | |
| CVE-2026-20805 | unknown | — | 1.5 | 5mo ago | Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. |