CVEs from 2026
Total
14,172
critical
critical 1,106
high
high 3,898
medium
medium 3,930
low
low 413
% Critical
7.8%
% with KEV
0.4%
% with exploit
0.4%
Top products
- firepower_threat_defense 298
- chrome 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-2246 | low | 3.3 | 3.3 | 4mo ago | A security vulnerability has been detected in AprilRobotics apriltag up to 3.4.5. Affected by this vulnerability is the function apriltag_detector_detect of the file apriltag.c. The manipulation lead… | |
| CVE-2026-2245 | low | 3.3 | 3.3 | 4mo ago | A vulnerability was identified in CCExtractor up to 183. This affects the function parse_PAT/parse_PMT in the library src/lib_ccx/ts_tables.c of the component MPEG-TS File Parser. Such manipulation l… | |
| CVE-2026-2069 | low | 3.3 | 3.3 | 4mo ago | A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This… | |
| CVE-2026-1990 | low | 3.3 | 3.3 | 4mo ago | A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation l… | |
| CVE-2026-1417 | low | 3.3 | 3.3 | 4mo ago | A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference.… | |
| CVE-2026-1416 | low | 3.3 | 3.3 | 4mo ago | A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null poin… | |
| CVE-2026-1415 | low | 3.3 | 3.3 | 4mo ago | A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to… | |
| CVE-2026-44220 | low | 3.2 | 3.2 | 15d ago | ciguard: discover_pipeline_files follows symlinks out of scan root | |
| CVE-2026-45362 | low | 3.2 | 3.2 | 16d ago | Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file. | |
| CVE-2026-43969 | low | 3.2 | 3.2 | 16d ago | cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1 | |
| CVE-2026-31369 | low | 3.2 | 3.2 | 1mo ago | PcManager is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability | |
| CVE-2026-47715 | low | 3.1 | 3.1 | 1d ago | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requir… | |
| CVE-2026-47716 | low | 3.1 | 3.1 | 2d ago | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the … | |
| CVE-2026-48851 | low | 3.1 | 3.1 | 2d ago | PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session. | |
| CVE-2026-9398 | low | 3.1 | 3.1 | 3d ago | A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass b… | |
| CVE-2026-9394 | low | 3.1 | 3.1 | 3d ago | A vulnerability was determined in Besen BS20 EV Charging Station up to 20260426. This impacts an unknown function of the component Bluetooth Low Energy Handler. Executing a manipulation can lead to w… | |
| CVE-2026-39967 | low | 3.1 | 3.1 | 5d ago | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user a… | |
| CVE-2026-9249 | low | 3.1 | 3.1 | 6d ago | Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * D… | |
| CVE-2026-44057 | low | 3.1 | 3.1 | 7d ago | A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authen… | |
| CVE-2026-7836 | low | 3.1 | 3.1 | 7d ago | An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification v… | |
| CVE-2026-7835 | low | 3.1 | 3.1 | 7d ago | A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string pro… | |
| CVE-2026-44070 | low | 3.1 | 3.1 | 7d ago | An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character convers… | |
| CVE-2026-0968 | low | 3.1 | 3.1 | 9d ago | Moderate: libssh security update | |
| CVE-2026-6334 | low | 3.1 | 3.1 | 10d ago | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to red… | |
| CVE-2026-8741 | low | 3.1 | 3.1 | 11d ago | A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manip… | |
| CVE-2026-8579 | low | 3.1 | 3.1 | 13d ago | Insufficient validation of untrusted input in Skia in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write… | |
| CVE-2026-8578 | low | 3.1 | 3.1 | 13d ago | Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chro… | |
| CVE-2026-8572 | low | 3.1 | 3.1 | 13d ago | Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craft… | |
| CVE-2026-8568 | low | 3.1 | 3.1 | 13d ago | Insufficient policy enforcement in AI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Ch… | |
| CVE-2026-8556 | low | 3.1 | 3.1 | 13d ago | Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HT… | |
| CVE-2026-8554 | low | 3.1 | 3.1 | 13d ago | Type Confusion in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted H… | |
| CVE-2026-8553 | low | 3.1 | 3.1 | 13d ago | Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Ch… | |
| CVE-2026-8545 | low | 3.1 | 3.1 | 13d ago | Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromi… | |
| CVE-2026-8536 | low | 3.1 | 3.1 | 13d ago | Insufficient validation of untrusted input in ReadingMode in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass site Isolation v… | |
| CVE-2026-27680 | low | 3.1 | 3.1 | 13d ago | Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the appl… | |
| CVE-2026-8022 | low | 3.1 | 3.1 | 21d ago | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted … | |
| CVE-2026-8017 | low | 3.1 | 3.1 | 21d ago | Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | |
| CVE-2026-7968 | low | 3.1 | 3.1 | 21d ago | Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafte… | |
| CVE-2026-7966 | low | 3.1 | 3.1 | 21d ago | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a c… | |
| CVE-2026-7965 | low | 3.1 | 3.1 | 21d ago | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craft… | |
| CVE-2026-7959 | low | 3.1 | 3.1 | 21d ago | Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.… | |
| CVE-2026-7954 | low | 3.1 | 3.1 | 21d ago | Race in Shared Storage in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security… | |
| CVE-2026-7949 | low | 3.1 | 3.1 | 21d ago | Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromi… | |
| CVE-2026-7945 | low | 3.1 | 3.1 | 21d ago | Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HT… | |
| CVE-2026-7944 | low | 3.1 | 3.1 | 21d ago | Insufficient validation of untrusted input in Persistent Cache in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via … | |
| CVE-2026-7937 | low | 3.1 | 3.1 | 21d ago | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a c… | |
| CVE-2026-7909 | low | 3.1 | 3.1 | 21d ago | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML pa… | |
| CVE-2026-22741 | low | 3.1 | 3.1 | 29d ago | Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. | |
| CVE-2026-7360 | low | 3.1 | 3.1 | 29d ago | Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a c… | |
| CVE-2026-7351 | low | 3.1 | 3.1 | 29d ago | Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium se… | |
| CVE-2026-41488 | low | 3.1 | 3.1 | 1mo ago | LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) va… | |
| CVE-2026-6611 | low | 3.1 | 3.1 | 1mo ago | A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulatio… | |
| CVE-2026-6312 | low | 3.1 | 3.1 | 1mo ago | Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML p… | |
| CVE-2026-4590 | low | 3.1 | 3.1 | 2mo ago | A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the compo… | |
| CVE-2026-4584 | low | 3.1 | 3.1 | 2mo ago | A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmissi… | |
| CVE-2026-4477 | low | 3.1 | 3.1 | 2mo ago | A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-code… | |
| CVE-2026-3668 | low | 3.1 | 3.1 | 3mo ago | A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access… | |
| CVE-2026-3465 | low | 3.1 | 3.1 | 3mo ago | A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected by this vulnerability is an unknown functionality of the component JSON Data Point Handler. This manipulation of the a… | |
| CVE-2026-3193 | low | 3.1 | 3.1 | 3mo ago | A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be perform… | |
| CVE-2026-2702 | low | 3.1 | 3.1 | 3mo ago | A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials.… | |
| CVE-2026-1743 | low | 3.1 | 3.1 | 4mo ago | A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The mani… | |
| CVE-2026-21947 | low | 3.1 | 3.1 | 4mo ago | Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with netwo… | |
| CVE-2026-1197 | low | 3.1 | 3.1 | 4mo ago | A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in… | |
| CVE-2026-44072 | low | 3.0 | 3.0 | 7d ago | Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor … | |
| CVE-2026-44218 | low | 3.0 | 3.0 | 15d ago | ciguard: Container image runs as root (no USER directive) | |
| CVE-2026-44916 | low | 3.0 | 3.0 | 20d ago | In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing. | |
| CVE-2026-32684 | low | 2.9 | 2.9 | 16d ago | The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information. | |
| CVE-2026-41963 | low | 2.8 | 2.8 | 13d ago | Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability. | |
| CVE-2026-8477 | low | 2.7 | 2.7 | 6d ago | Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensit… | |
| CVE-2026-8492 | low | 2.7 | 2.7 | 8d ago | The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script … | |
| CVE-2026-2900 | low | 2.7 | 2.7 | 14d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention w… | |
| CVE-2026-41659 | low | 2.7 | 2.7 | 28d ago | Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment | |
| CVE-2026-6408 | low | 2.7 | 2.7 | 1mo ago | Tanium addressed an information disclosure vulnerability in Tanium Server. | |
| CVE-2026-6392 | low | 2.7 | 2.7 | 1mo ago | Tanium addressed an information disclosure vulnerability in Threat Response. | |
| CVE-2026-3307 | low | 2.7 | 2.7 | 1mo ago | An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated b… | |
| CVE-2026-6597 | low | 2.7 | 2.7 | 1mo ago | A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flo… | |
| CVE-2026-6570 | low | 2.7 | 2.7 | 1mo ago | A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function initInstall of the file /app/controller/systemMember.class.php. Performing a manipulation of the argum… | |
| CVE-2026-36942 | low | 2.7 | 2.7 | 2mo ago | Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php. | |
| CVE-2026-36946 | low | 2.7 | 2.7 | 2mo ago | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php. | |
| CVE-2026-36874 | low | 2.7 | 2.7 | 2mo ago | Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php. | |
| CVE-2026-39510 | low | 2.7 | 2.7 | 2mo ago | Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control S… | |
| CVE-2026-4957 | low | 2.7 | 2.7 | 2mo ago | A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This mani… | |
| CVE-2026-4285 | low | 2.7 | 2.7 | 2mo ago | A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. Impacted is the function recognizeMarkdown of the file yudao-module-digitalcourse/yudao-module… | |
| CVE-2026-3911 | low | 2.7 | 2.7 | 3mo ago | Keycloak: Information disclosure of disabled user attributes via administrative endpoint | |
| CVE-2026-1588 | low | 2.7 | 2.7 | 4mo ago | A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.o… | |
| CVE-2026-22597 | low | 2.7 | 2.7 | 5mo ago | Ghost has SSRF via External Media Inliner | |
| CVE-2026-9248 | low | 2.6 | 2.6 | 6d ago | Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault … | |
| CVE-2026-7847 | low | 2.6 | 2.6 | 22d ago | Langchain-Chatchat Uses Insufficiently Random Values | |
| CVE-2026-7846 | low | 2.6 | 2.6 | 23d ago | Langchain-Chatchat has a Race Condition in its OpenAI-Compatible File Upload API | |
| CVE-2026-7845 | low | 2.6 | 2.6 | 23d ago | Langchain-Chatchat Uses a Broken or Risky Cryptographic Algorithm | |
| CVE-2026-45570 | low | — | 2.5 | 13h ago | go-git: Improper single-quote escaping in go-git SSH transport | |
| CVE-2026-35202 | low | — | 2.5 | 1d ago | Pterodactyl has a database resource limit bypass via race condition in Client API | |
| CVE-2026-46554 | low | — | 2.5 | 6d ago | NocoDB: Stale Auth Cache After API Token Deletion | |
| CVE-2026-46553 | low | — | 2.5 | 6d ago | NocoDB: Attachment Size Limit Bypass via Upload-by-URL | |
| CVE-2026-46549 | low | — | 2.5 | 6d ago | NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation | |
| CVE-2026-46668 | low | — | 2.5 | 6d ago | SpiceDB: Caveat structures with nested lists can result in improper cache reuse | |
| CVE-2026-46497 | low | — | 2.5 | 6d ago | Crawlee for Python: SSRF via sitemap-derived URLs | |
| CVE-2026-45133 | low | — | 2.5 | 8d ago | Symfony hardened the parser when handling untrusted input | |
| CVE-2026-45305 | low | — | 2.5 | 8d ago | Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex | |
| CVE-2026-45304 | low | — | 2.5 | 8d ago | Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") |