CVEs from 2026
Total
13,450
critical
critical 1,176
high
high 4,281
medium
medium 4,153
low
low 442
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 417
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25679 | high | — | 8.0 | 26d ago | Important: grafana-pcp security update | |||
| CVE-2026-23136 | high | — | 8.0 | 27d ago | Important: kernel security update | |||
| CVE-2026-35414 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-20889 | high | — | 8.0 | 27d ago | RHSA-2026:13284: LibRaw security update (Important) | |||
| CVE-2026-24660 | high | — | 8.0 | 27d ago | RHSA-2026:13284: LibRaw security update (Important) | |||
| CVE-2026-35387 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35385 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35388 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-35386 | high | — | 8.0 | 27d ago | RHSA-2026:13383: openssh security update (Important) | |||
| CVE-2026-7608 | high | 8.0 | 8.0 | 29d ago | A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public a… | |||
| CVE-2026-39804 | high | — | 8.0 | 29d ago | Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame | |||
| CVE-2026-42786 | high | — | 8.0 | 29d ago | Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion | |||
| CVE-2026-35535 | high | — | 8.0 | 1mo ago | RHSA-2026:11521: sudo security update (Important) | |||
| CVE-2026-41587 | high | — | 8.0 | 1mo ago | CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution | |||
| CVE-2026-0204 | high | 8.0 | 8.0 | 1mo ago | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | |||
| CVE-2026-42524 | high | 8.0 | 8.0 | 1mo ago | Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file | |||
| CVE-2026-34982 | high | — | 8.0 | 1mo ago | RHSA-2026:11509: vim security update (Important) | |||
| CVE-2026-21413 | high | — | 8.0 | 1mo ago | RHSA-2026:13284: LibRaw security update (Important) | |||
| CVE-2026-24450 | high | — | 8.0 | 1mo ago | Important: LibRaw security update | |||
| CVE-2026-5394 | high | — | 8.0 | 1mo ago | Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save | |||
| CVE-2026-7069 | high | 8.0 | 8.0 | 1mo ago | A security flaw has been discovered in D-Link DIR-825 up to 3.00b32. This impacts the function AddPortMapping of the file upnpsoap.c of the component miniupnpd. Performing a manipulation of the argum… | |||
| CVE-2026-6771 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6746 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6749 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6750 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6752 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6751 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6753 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6754 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6757 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6759 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6747 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6761 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6766 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6762 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6767 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6763 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6764 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6765 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6769 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6748 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6770 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6772 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-6776 | high | — | 8.0 | 1mo ago | Important: thunderbird security update | |||
| CVE-2026-33186 | high | — | 8.0 | 1mo ago | RHSA-2026:10107: rhc security update (Important) | |||
| CVE-2026-6100 | high | — | 8.0 | 1mo ago | RHSA-2026:11077: python3 security update (Important) | |||
| CVE-2026-34352 | high | — | 8.0 | 1mo ago | RHSA-2026:13414: tigervnc security update (Important) | |||
| CVE-2026-4786 | high | — | 8.0 | 1mo ago | RHSA-2026:11077: python3 security update (Important) | |||
| CVE-2026-41044 | high | — | 8.0 | 1mo ago | Apache ActiveMQ Vulnerable to Code Injection | |||
| CVE-2026-23902 | high | — | 8.0 | 1mo ago | Apache DolphinScheduler has an Incorrect Authorization Vulnerability | |||
| CVE-2026-40466 | high | — | 8.0 | 1mo ago | Apache ActiveMQ Vulnerable to Improper Input Validation and Code Injection | |||
| CVE-2026-21728 | high | — | 8.0 | 1mo ago | Grafana Tempo has an Uncontrolled Resource Consumption issue | |||
| CVE-2026-32282 | high | — | 8.0 | 1mo ago | RHSA-2026:16875: git-lfs security update (Important) | |||
| CVE-2026-22018 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-32283 | high | — | 8.0 | 1mo ago | RHSA-2026:16875: git-lfs security update (Important) | |||
| CVE-2026-32280 | high | — | 8.0 | 1mo ago | RHSA-2026:16875: git-lfs security update (Important) | |||
| CVE-2026-34268 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-22016 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-27140 | high | — | 8.0 | 1mo ago | RHSA-2026:10704: go-toolset:rhel8 security update (Important) | |||
| CVE-2026-27144 | high | — | 8.0 | 1mo ago | RHSA-2026:10704: go-toolset:rhel8 security update (Important) | |||
| CVE-2026-27143 | high | — | 8.0 | 1mo ago | RHSA-2026:10704: go-toolset:rhel8 security update (Important) | |||
| CVE-2026-22020 | high | — | 8.0 | 1mo ago | RHSA-2026:9686: java-17-openjdk security update (Important) | |||
| CVE-2026-34282 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-22021 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-22013 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-22007 | high | — | 8.0 | 1mo ago | RHSA-2026:9689: java-21-openjdk security update (Important) | |||
| CVE-2026-32172 | high | 8.0 | 8.0 | 1mo ago | Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network. | |||
| CVE-2026-34587 | high | — | 8.0 | 1mo ago | Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering | |||
| CVE-2026-35368 | high | — | 8.0 | 1mo ago | A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before drop… | |||
| CVE-2026-35338 | high | — | 8.0 | 1mo ago | A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not … | |||
| CVE-2026-35341 | high | — | 8.0 | 1mo ago | A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target pa… | |||
| CVE-2026-22754 | high | — | 8.0 | 1mo ago | Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules | |||
| CVE-2026-22753 | high | — | 8.0 | 1mo ago | Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers | |||
| CVE-2026-22008 | high | — | 8.0 | 1mo ago | Important: java-25-openjdk security update | |||
| CVE-2026-26740 | high | — | 8.0 | 1mo ago | RHSA-2026:9686: java-17-openjdk security update (Important) | |||
| CVE-2026-31019 | high | — | 8.0 | 1mo ago | Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions | |||
| CVE-2026-34839 | high | — | 8.0 | 1mo ago | Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS | |||
| CVE-2026-34403 | high | — | 8.0 | 1mo ago | Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints | |||
| CVE-2026-27622 | high | — | 8.0 | 1mo ago | RHSA-2026:8863: OpenEXR security update (Important) | |||
| CVE-2026-25917 | high | — | 8.0 | 1mo ago | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr… | |||
| CVE-2026-40897 | high | — | 8.0 | 1mo ago | Unsafe object property setter in mathjs | |||
| CVE-2026-33412 | high | — | 8.0 | 2mo ago | RHSA-2026:6915: vim security update (Important) | |||
| CVE-2026-40926 | high | — | 8.0 | 2mo ago | WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) | |||
| CVE-2026-32201 | medium | 6.5 | 8.0 | 2mo ago | Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-34984 | high | — | 8.0 | 2mo ago | External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine | |||
| CVE-2026-5732 | high | — | 8.0 | 2mo ago | RHSA-2026:9345: thunderbird security update (Important) | |||
| CVE-2026-5731 | high | — | 8.0 | 2mo ago | RHSA-2026:9345: thunderbird security update (Important) | |||
| CVE-2026-5734 | high | — | 8.0 | 2mo ago | RHSA-2026:9345: thunderbird security update (Important) | |||
| CVE-2026-5295 | high | 8.0 | 8.0 | 2mo ago | A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipie… | |||
| CVE-2026-29129 | high | — | 8.0 | 2mo ago | Apache Tomcat: Configured cipher preference order not preserved | |||
| CVE-2026-24880 | high | — | 8.0 | 2mo ago | Apache Tomcat has an HTTP Request/Response Smuggling vulnerability | |||
| CVE-2026-2229 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-2581 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-27904 | high | — | 8.0 | 2mo ago | RHSA-2026:8339: nodejs:20 security update (Important) | |||
| CVE-2026-26996 | high | — | 8.0 | 2mo ago | RHSA-2026:8339: nodejs:20 security update (Important) | |||
| CVE-2026-21710 | high | — | 8.0 | 2mo ago | RHSA-2026:8339: nodejs:20 security update (Important) | |||
| CVE-2026-21715 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-21714 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-21711 | high | — | 8.0 | 2mo ago | RHSA-2026:7670: nodejs:24 security update (Important) | |||
| CVE-2026-40070 | high | — | 8.0 | 2mo ago | bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) |