CVEs from 2026
Total
13,613
critical
critical 1,176
high
high 4,271
medium
medium 4,150
low
low 441
% Critical
8.6%
% with KEV
0.4%
% with exploit
0.7%
Top products
- chrome 417
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42014 | high | — | 8.0 | 5d ago | RHSA-2026:20611: gnutls security update (Important) | |||
| CVE-2026-47138 | high | — | 8.0 | 8d ago | Parse Server: Pre-authentication denial of service via client version header regex backtracking | |||
| CVE-2026-46717 | high | — | 8.0 | 8d ago | Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification | |||
| CVE-2026-46701 | high | — | 8.0 | 9d ago | Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | |||
| CVE-2026-46681 | high | — | 8.0 | 9d ago | @nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty | |||
| CVE-2026-46680 | high | — | 8.0 | 9d ago | containerd user ID handling bypass allows runAsNonRoot evasion | |||
| CVE-2026-46679 | high | — | 8.0 | 9d ago | js-libp2p: Memory DoS via subscription flood of unique topics | |||
| CVE-2026-46625 | high | — | 8.0 | 9d ago | JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection | |||
| CVE-2026-46673 | high | — | 8.0 | 9d ago | Russh: Unchecked CryptoVec allocation and growth handling is reachable | |||
| CVE-2026-46519 | high | — | 8.0 | 9d ago | MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement | |||
| CVE-2026-46654 | high | — | 8.0 | 9d ago | Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss | |||
| CVE-2026-46643 | high | — | 8.0 | 9d ago | Snappy: Binary path is never shell-escaped due to an inverted is_executable check | |||
| CVE-2026-46617 | high | — | 8.0 | 9d ago | Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read | |||
| CVE-2026-46612 | high | — | 8.0 | 9d ago | Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives | |||
| CVE-2026-46545 | high | — | 8.0 | 9d ago | nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item | |||
| CVE-2026-46517 | high | — | 8.0 | 9d ago | lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out | |||
| CVE-2026-46492 | high | — | 8.0 | 9d ago | md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) | |||
| CVE-2026-46432 | high | — | 8.0 | 9d ago | LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization | |||
| CVE-2026-46490 | high | — | 8.0 | 9d ago | samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions | |||
| CVE-2026-46481 | high | — | 8.0 | 9d ago | OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users | |||
| CVE-2026-45804 | high | — | 8.0 | 10d ago | Diffusers: TOCTOU Trust Remote Code Bypass | |||
| CVE-2026-46639 | high | — | 8.0 | 11d ago | Twig: Sandbox property and method bypass via object-destructuring assignment | |||
| CVE-2026-45077 | high | — | 8.0 | 11d ago | Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener | |||
| CVE-2026-46640 | high | — | 8.0 | 11d ago | Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation | |||
| CVE-2026-45063 | high | — | 8.0 | 11d ago | Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator | |||
| CVE-2026-45067 | high | — | 8.0 | 11d ago | Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address | |||
| CVE-2026-22990 | high | — | 8.0 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremen… | |||
| CVE-2026-22984 | high | — | 8.0 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a p… | |||
| CVE-2026-23401 | high | — | 8.0 | 11d ago | RHSA-2026:13578: kernel-rt security update (Important) | |||
| CVE-2026-46417 | high | — | 8.0 | 11d ago | @angular/platform-server: SSRF via Hostname Hijacking | |||
| CVE-2026-46415 | high | — | 8.0 | 11d ago | Caddy Defender trusted proxy client IP bypass | |||
| CVE-2026-46410 | high | — | 8.0 | 11d ago | FileBrowser Quantum: unauthenticated user share share info | |||
| CVE-2026-46374 | high | — | 8.0 | 11d ago | SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser | |||
| CVE-2026-46373 | high | — | 8.0 | 11d ago | SQLFluff: Recursive Stack Overflow in Parser | |||
| CVE-2026-46378 | high | — | 8.0 | 11d ago | Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal | |||
| CVE-2026-46377 | high | — | 8.0 | 11d ago | Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string | |||
| CVE-2026-45783 | high | — | 8.0 | 11d ago | @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes | |||
| CVE-2026-45805 | high | — | 8.0 | 11d ago | PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE | |||
| CVE-2026-45799 | high | — | 8.0 | 11d ago | Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service | |||
| CVE-2026-45738 | high | — | 8.0 | 11d ago | Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation | |||
| CVE-2026-45713 | high | — | 8.0 | 11d ago | Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes | |||
| CVE-2026-45576 | high | — | 8.0 | 11d ago | zrok copy writes attacker-controlled WebDAV paths outside the destination root | |||
| CVE-2026-46511 | high | — | 8.0 | 11d ago | HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack | |||
| CVE-2026-46396 | high | — | 8.0 | 11d ago | Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover | |||
| CVE-2026-46391 | high | — | 8.0 | 11d ago | HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis | |||
| CVE-2026-46393 | high | — | 8.0 | 11d ago | HAXcms createSite SSRF Enables Arbitrary File Read | |||
| CVE-2026-2922 | high | — | 8.0 | 12d ago | Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update | |||
| CVE-2026-0672 | high | — | 8.0 | 12d ago | RHSA-2026:10950: python3.12 security update (Important) | |||
| CVE-2026-23950 | high | — | 8.0 | 12d ago | Important: linux-sgx security update | |||
| CVE-2026-20643 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-20652 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-2921 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-33983 | high | — | 8.0 | 12d ago | RHSA-2026:8945: freerdp security update (Important) | |||
| CVE-2026-20665 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-33810 | high | — | 8.0 | 12d ago | Important: opentelemetry-collector security update | |||
| CVE-2026-32281 | high | — | 8.0 | 12d ago | Important: opentelemetry-collector security update | |||
| CVE-2026-2923 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-3082 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-27137 | high | — | 8.0 | 12d ago | Important: golang security update | |||
| CVE-2026-1502 | high | — | 8.0 | 12d ago | RHSA-2026:10950: python3.12 security update (Important) | |||
| CVE-2026-20644 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-3083 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-20635 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-20636 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-4519 | high | — | 8.0 | 12d ago | RHSA-2026:6473: python3 security update (Important) | |||
| CVE-2026-2920 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-20664 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-23060 | high | — | 8.0 | 12d ago | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When as… | |||
| CVE-2026-20676 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-20608 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-28859 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-23745 | high | — | 8.0 | 12d ago | Important: linux-sgx security update | |||
| CVE-2026-3085 | high | — | 8.0 | 12d ago | RHSA-2026:6750: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update (Important) | |||
| CVE-2026-5713 | high | — | 8.0 | 12d ago | Important: python3.14 security update | |||
| CVE-2026-28857 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-20691 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-33984 | high | — | 8.0 | 12d ago | RHSA-2026:8945: freerdp security update (Important) | |||
| CVE-2026-2297 | high | — | 8.0 | 12d ago | RHSA-2026:10950: python3.12 security update (Important) | |||
| CVE-2026-28871 | high | — | 8.0 | 12d ago | RHSA-2026:10702: webkit2gtk3 security update (Important) | |||
| CVE-2026-3644 | high | — | 8.0 | 12d ago | RHSA-2026:10950: python3.12 security update (Important) | |||
| CVE-2026-24842 | high | — | 8.0 | 12d ago | Important: linux-sgx security update | |||
| CVE-2026-4224 | high | — | 8.0 | 12d ago | RHSA-2026:10950: python3.12 security update (Important) | |||
| CVE-2026-46520 | high | — | 8.0 | 12d ago | ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions | |||
| CVE-2026-45367 | high | — | 8.0 | 12d ago | HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint | |||
| CVE-2026-45553 | high | — | 8.0 | 12d ago | NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text() | |||
| CVE-2026-45686 | high | — | 8.0 | 12d ago | OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI | |||
| CVE-2026-45685 | high | — | 8.0 | 12d ago | OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages | |||
| CVE-2026-45678 | high | — | 8.0 | 12d ago | OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads | |||
| CVE-2026-42306 | high | — | 8.0 | 12d ago | Docker: Race condition in docker cp allows bind mount redirection to host path | |||
| CVE-2026-45727 | high | — | 8.0 | 12d ago | CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion | |||
| CVE-2026-41567 | high | — | 8.0 | 12d ago | Docker: `PUT /containers/{id}/archive` executes container binary on the host | |||
| CVE-2026-45327 | high | — | 8.0 | 12d ago | TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection | |||
| CVE-2026-45325 | high | — | 8.0 | 12d ago | @tmlmobilidade/utils has prototype pollution in its setValueAtPath | |||
| CVE-2026-45302 | high | — | 8.0 | 12d ago | parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names | |||
| CVE-2026-45300 | high | — | 8.0 | 12d ago | async-http-client: Cookie header not stripped on cross-origin redirect | |||
| CVE-2026-46385 | high | — | 8.0 | 12d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state ins… | |||
| CVE-2026-45270 | high | — | 8.0 | 12d ago | CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule | |||
| CVE-2026-46384 | high | — | 8.0 | 12d ago | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before … | |||
| CVE-2026-45135 | high | — | 8.0 | 13d ago | Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files | |||
| CVE-2026-45363 | high | — | 8.0 | 13d ago | ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 |