CVEs from 2026
Total
13,613
critical
critical 1,176
high
high 4,271
medium
medium 4,150
low
low 441
% Critical
8.6%
% with KEV
0.4%
% with exploit
0.7%
Top products
- chrome 417
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46491 | high | — | 8.0 | 15d ago | SimpleSAMLphp casserver FileSystemTicketStore path traversal allows out-of-ticket-directory read/unserialize and conditional deletion | |||
| CVE-2026-44692 | high | — | 8.0 | 15d ago | Authenticated Sharp users can download unrelated Laravel Storage objects through the generic download endpoint | |||
| CVE-2026-45062 | high | — | 8.0 | 15d ago | FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files | |||
| CVE-2026-44716 | high | — | 8.0 | 15d ago | Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator | |||
| CVE-2026-44700 | high | — | 8.0 | 16d ago | ex_webrtc client-role handshake is missing DTLS peer fingerprint validation | |||
| CVE-2026-42327 | high | — | 8.0 | 16d ago | rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs | |||
| CVE-2026-45671 | high | 8.0 | 8.0 | 16d ago | Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion | |||
| CVE-2026-42570 | high | — | 8.0 | 16d ago | Svelte devalue: DoS via sparse array deserialization | |||
| CVE-2026-45371 | high | — | 8.0 | 16d ago | SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs | |||
| CVE-2026-44522 | high | — | 8.0 | 16d ago | Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution | |||
| CVE-2026-44541 | high | — | 8.0 | 16d ago | ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override | |||
| CVE-2026-45011 | high | — | 8.0 | 16d ago | Apostrophe has stored XSS via javascript: URL in Image Widget Link | |||
| CVE-2026-45013 | high | — | 8.0 | 16d ago | Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation | |||
| CVE-2026-45012 | high | — | 8.0 | 16d ago | Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget | |||
| CVE-2026-44883 | high | — | 8.0 | 16d ago | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before … | |||
| CVE-2026-44881 | high | — | 8.0 | 16d ago | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before … | |||
| CVE-2026-46480 | high | — | 8.0 | 16d ago | FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover | |||
| CVE-2026-46479 | high | — | 8.0 | 16d ago | FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover | |||
| CVE-2026-46478 | high | — | 8.0 | 16d ago | FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover | |||
| CVE-2026-46477 | high | — | 8.0 | 16d ago | FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover | |||
| CVE-2026-46476 | high | — | 8.0 | 16d ago | FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover | |||
| CVE-2026-46475 | high | — | 8.0 | 16d ago | FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover | |||
| CVE-2026-46444 | high | — | 8.0 | 16d ago | FlowiseAI: Vector Store No Permission Checks | |||
| CVE-2026-45078 | high | — | 8.0 | 16d ago | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing o… | |||
| CVE-2026-45732 | high | — | 8.0 | 16d ago | n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints | |||
| CVE-2026-44792 | high | — | 8.0 | 16d ago | n8n Has a Source Control Pull SQL Injection | |||
| CVE-2026-43978 | high | — | 8.0 | 16d ago | wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager | |||
| CVE-2026-44504 | high | — | 8.0 | 16d ago | Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) | |||
| CVE-2026-43977 | high | — | 8.0 | 16d ago | wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API | |||
| CVE-2026-46443 | high | — | 8.0 | 16d ago | FlowiseAI Vulnerable to Credential Data Leak | |||
| CVE-2026-46441 | high | — | 8.0 | 16d ago | FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-46440 | high | — | 8.0 | 16d ago | FlowiseAI Exposes Basic Auth Credentials via API | |||
| CVE-2026-42863 | high | — | 8.0 | 16d ago | FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment | |||
| CVE-2026-42862 | high | — | 8.0 | 16d ago | FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-42861 | high | — | 8.0 | 16d ago | FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment | |||
| CVE-2026-41249 | high | — | 8.0 | 17d ago | CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration | |||
| CVE-2026-8468 | high | — | 8.0 | 17d ago | Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service | |||
| CVE-2026-8466 | high | — | 8.0 | 17d ago | Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy | |||
| CVE-2026-43970 | high | — | 8.0 | 17d ago | cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame | |||
| CVE-2026-45033 | high | — | 8.0 | 17d ago | GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor | |||
| CVE-2026-42557 | high | — | 8.0 | 17d ago | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlink… | |||
| CVE-2026-45136 | high | — | 8.0 | 17d ago | claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directl… | |||
| CVE-2026-45793 | high | — | 8.0 | 18d ago | Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs | |||
| CVE-2026-39979 | high | — | 8.0 | 18d ago | Important: jq security update | |||
| CVE-2026-44660 | high | — | 8.0 | 18d ago | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an excepti… | |||
| CVE-2026-44232 | high | — | 8.0 | 18d ago | dssrf: every IPv6 category bypasses is_url_safe | |||
| CVE-2026-44184 | high | 8.0 | 8.0 | 18d ago | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy refl… | |||
| CVE-2026-40368 | high | 8.0 | 8.0 | 18d ago | <p>Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.</p> | |||
| CVE-2026-34332 | high | 8.0 | 8.0 | 18d ago | <p>Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.</p> | |||
| CVE-2026-4150 | high | — | 8.0 | 19d ago | Important: gimp security update | |||
| CVE-2026-4153 | high | — | 8.0 | 19d ago | Important: gimp security update | |||
| CVE-2026-4154 | high | — | 8.0 | 19d ago | Important: gimp security update | |||
| CVE-2026-4151 | high | — | 8.0 | 19d ago | Important: gimp security update | |||
| CVE-2026-4152 | high | — | 8.0 | 19d ago | Important: gimp security update | |||
| CVE-2026-43897 | high | — | 8.0 | 19d ago | link-preview-js vulnerable to IPv6 and internal loopback attacks | |||
| CVE-2026-44657 | high | — | 8.0 | 19d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execu… | |||
| CVE-2026-44655 | high | — | 8.0 | 19d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator acces… | |||
| CVE-2026-42071 | high | — | 8.0 | 19d ago | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to… | |||
| CVE-2026-40607 | high | — | 8.0 | 19d ago | MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column | |||
| CVE-2026-40597 | high | — | 8.0 | 19d ago | MantisBT has a Content Security Policy bypass via attachments | |||
| CVE-2026-40596 | high | — | 8.0 | 19d ago | MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference | |||
| CVE-2026-34463 | high | — | 8.0 | 19d ago | MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form | |||
| CVE-2026-42856 | high | — | 8.0 | 19d ago | Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls | |||
| CVE-2026-41431 | high | 8.0 | 8.0 | 19d ago | Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Fi… | |||
| CVE-2026-42349 | high | — | 8.0 | 19d ago | Clerk has an authorization bypass when combining organization, billing, or reverification checks | |||
| CVE-2026-45017 | high | — | 8.0 | 19d ago | Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search pa… | |||
| CVE-2026-4802 | high | 8.0 | 8.0 | 20d ago | RHSA-2026:21700: cockpit security update (Important) | |||
| CVE-2026-44499 | high | — | 8.0 | 22d ago | Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning | |||
| CVE-2026-42274 | high | — | 8.0 | 23d ago | Heimdall has an authorization bypass via path normalization mismatch | |||
| CVE-2026-42273 | high | — | 8.0 | 23d ago | Heimdall: Case-sensitive host matching may lead to policy bypass | |||
| CVE-2026-42272 | high | — | 8.0 | 23d ago | Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation | |||
| CVE-2026-44349 | high | — | 8.0 | 23d ago | Daptin fuzzy search injects unvalidated column name into raw SQL | |||
| CVE-2026-41675 | high | — | 8.0 | 24d ago | xmldom has XML node injection through unvalidated processing instruction serialization | |||
| CVE-2026-41674 | high | — | 8.0 | 24d ago | xmldom has XML injection through unvalidated DocumentType serialization | |||
| CVE-2026-41673 | high | — | 8.0 | 24d ago | xmldom: Uncontrolled recursion in XML serialization leads to DoS | |||
| CVE-2026-41672 | high | — | 8.0 | 24d ago | xmldom has XML node injection through unvalidated comment serialization | |||
| CVE-2026-44503 | high | — | 8.0 | 24d ago | Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect | |||
| CVE-2026-33636 | high | — | 8.0 | 24d ago | RHSA-2026:9345: thunderbird security update (Important) | |||
| CVE-2026-46689 | high | — | 8.0 | 24d ago | scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion | |||
| CVE-2026-0897 | high | — | 8.0 | 24d ago | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (… | |||
| CVE-2026-42845 | high | — | 8.0 | 24d ago | Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override | |||
| CVE-2026-44307 | high | — | 8.0 | 24d ago | Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup | |||
| CVE-2026-42548 | high | — | 8.0 | 24d ago | Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() | |||
| CVE-2026-40171 | high | — | 8.0 | 24d ago | In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 an… | |||
| CVE-2026-33079 | high | — | 8.0 | 24d ago | Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input | |||
| CVE-2026-44012 | high | — | 8.0 | 24d ago | Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure | |||
| CVE-2026-44011 | high | — | 8.0 | 24d ago | Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior | |||
| CVE-2026-44010 | high | — | 8.0 | 24d ago | Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure | |||
| CVE-2026-43885 | high | — | 8.0 | 25d ago | AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization | |||
| CVE-2026-6970 | high | — | 8.0 | 25d ago | authd: Primary group ID is incorrectly set to value of UID | |||
| CVE-2026-32689 | high | — | 8.0 | 25d ago | Phoenix: Long-poll NDJSON body splitting causes large memory allocation | |||
| CVE-2026-25679 | high | — | 8.0 | 26d ago | Important: grafana-pcp security update | |||
| CVE-2026-26007 | high | — | 8.0 | 26d ago | RHSA-2026:12176: fence-agents security update (Important) | |||
| CVE-2026-20889 | high | — | 8.0 | 27d ago | RHSA-2026:13284: LibRaw security update (Important) | |||
| CVE-2026-35385 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35386 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35388 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-23136 | high | — | 8.0 | 27d ago | Important: kernel security update | |||
| CVE-2026-35387 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35414 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) |