CVEs from 2026
Total
13,682
critical
critical 1,199
high
high 4,384
medium
medium 4,286
low
low 468
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 503
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44561 | medium | 5.4 | 5.4 | 17d ago | Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels | |||
| CVE-2026-44558 | medium | 5.4 | 5.4 | 17d ago | Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants | |||
| CVE-2026-45580 | medium | 5.4 | 5.4 | 17d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … | |||
| CVE-2026-23695 | medium | 5.4 | 5.4 | 17d ago | Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option | |||
| CVE-2026-44310 | medium | 5.4 | 5.4 | 17d ago | gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers | |||
| CVE-2026-24662 | medium | 5.4 | 5.4 | 18d ago | Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script … | |||
| CVE-2026-44429 | medium | 5.4 | 5.4 | 18d ago | MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` | |||
| CVE-2026-8561 | medium | 5.4 | 5.4 | 18d ago | Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-8539 | medium | 5.4 | 5.4 | 18d ago | Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-45299 | medium | 5.4 | 5.4 | 18d ago | Open WebUI has Stored Cross-Site Scripting In Profile Picture | |||
| CVE-2026-22707 | medium | 5.4 | 5.4 | 18d ago | Strapi Upload Plugin MIME Validation Bypass via Content API | |||
| CVE-2026-20210 | medium | 5.4 | 5.4 | 18d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify configurations and perform … | |||
| CVE-2026-20209 | medium | 5.4 | 5.4 | 18d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low … | |||
| CVE-2026-42159 | medium | 5.4 | 5.4 | 18d ago | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, whic… | |||
| CVE-2026-6472 | medium | 5.4 | 5.4 | 18d ago | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, t… | |||
| CVE-2026-7481 | medium | 5.4 | 5.4 | 19d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer… | |||
| CVE-2026-7377 | medium | 5.4 | 5.4 | 19d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allow… | |||
| CVE-2026-6335 | medium | 5.4 | 5.4 | 19d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in ano… | |||
| CVE-2026-6073 | medium | 5.4 | 5.4 | 19d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arb… | |||
| CVE-2026-3829 | medium | 5.4 | 5.4 | 19d ago | The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks… | |||
| CVE-2026-44425 | medium | 5.4 | 5.4 | 19d ago | ShellHub has crash-DoS via field injection in filter and sort-by parameters | |||
| CVE-2026-45228 | medium | 5.4 | 5.4 | 19d ago | Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without… | |||
| CVE-2026-44576 | medium | 5.4 | 5.4 | 19d ago | Next.js vulnerable to cache poisoning in React Server Component responses | |||
| CVE-2026-40703 | medium | 5.4 | 5.4 | 19d ago | A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not eval… | |||
| CVE-2026-44794 | medium | 5.4 | 5.4 | 19d ago | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to referen… | |||
| CVE-2026-7051 | medium | 5.4 | 5.4 | 20d ago | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verific… | |||
| CVE-2026-44873 | medium | 5.4 | 5.4 | 20d ago | A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated wh… | |||
| CVE-2026-42838 | medium | 5.4 | 5.4 | 20d ago | Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw… | |||
| CVE-2026-35423 | medium | 5.4 | 5.4 | 20d ago | Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-45210 | medium | 5.4 | 5.4 | 20d ago | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a thr… | |||
| CVE-2026-40132 | medium | 5.4 | 5.4 | 21d ago | Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unaut… | |||
| CVE-2026-0502 | medium | 5.4 | 5.4 | 21d ago | Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This ha… | |||
| CVE-2026-39960 | medium | 5.4 | 5.4 | 21d ago | MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values | |||
| CVE-2026-44998 | medium | 5.4 | 5.4 | 21d ago | OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restr… | |||
| CVE-2026-44993 | medium | 5.4 | 5.4 | 21d ago | OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfo… | |||
| CVE-2026-43638 | medium | 5.4 | 5.4 | 21d ago | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organiz… | |||
| CVE-2026-42857 | medium | 5.4 | 5.4 | 21d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags … | |||
| CVE-2026-38569 | medium | 5.4 | 5.4 | 21d ago | HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add. | |||
| CVE-2026-28819 | medium | 5.4 | 5.4 | 22d ago | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may … | |||
| CVE-2026-44831 | medium | 5.4 | 5.4 | 24d ago | Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) | |||
| CVE-2026-42192 | medium | 5.4 | 5.4 | 24d ago | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email bo… | |||
| CVE-2026-41487 | medium | 5.4 | 5.4 | 24d ago | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An a… | |||
| CVE-2026-42877 | medium | 5.4 | 5.4 | 25d ago | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/Aja… | |||
| CVE-2026-41903 | medium | 5.4 | 5.4 | 25d ago | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) … | |||
| CVE-2026-36341 | medium | 5.4 | 5.4 | 25d ago | Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint | |||
| CVE-2026-36388 | medium | 5.4 | 5.4 | 25d ago | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to … | |||
| CVE-2026-8080 | medium | 5.4 | 5.4 | 25d ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-si… | |||
| CVE-2026-8019 | medium | 5.4 | 5.4 | 26d ago | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8015 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8012 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a craft… | |||
| CVE-2026-8008 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome … | |||
| CVE-2026-8006 | medium | 5.4 | 5.4 | 26d ago | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chro… | |||
| CVE-2026-8003 | medium | 5.4 | 5.4 | 26d ago | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security seve… | |||
| CVE-2026-7998 | medium | 5.4 | 5.4 | 26d ago | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HT… | |||
| CVE-2026-7962 | medium | 5.4 | 5.4 | 26d ago | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security s… | |||
| CVE-2026-7958 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UX… | |||
| CVE-2026-7950 | medium | 5.4 | 5.4 | 26d ago | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Mediu… | |||
| CVE-2026-7939 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-7935 | medium | 5.4 | 5.4 | 26d ago | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7931 | medium | 5.4 | 5.4 | 26d ago | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity:… | |||
| CVE-2026-20219 | medium | 5.4 | 5.4 | 26d ago | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has address… | |||
| CVE-2026-36358 | medium | 5.4 | 5.4 | 26d ago | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | |||
| CVE-2026-43879 | medium | 5.4 | 5.4 | 27d ago | AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass | |||
| CVE-2026-42612 | medium | 5.4 | 5.4 | 27d ago | Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes | |||
| CVE-2026-42842 | medium | 5.4 | 5.4 | 27d ago | Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel | |||
| CVE-2026-31835 | medium | 5.4 | 5.4 | 27d ago | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1… | |||
| CVE-2026-43877 | medium | 5.4 | 5.4 | 27d ago | AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content | |||
| CVE-2026-27694 | medium | 5.4 | 5.4 | 27d ago | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver n… | |||
| CVE-2026-27693 | medium | 5.4 | 5.4 | 27d ago | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper … | |||
| CVE-2026-7631 | medium | 5.4 | 5.4 | 1mo ago | A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument U… | |||
| CVE-2026-4790 | medium | 5.4 | 5.4 | 1mo ago | The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and inclu… | |||
| CVE-2026-5077 | medium | 5.4 | 5.4 | 1mo ago | The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() insid… | |||
| CVE-2026-6446 | medium | 5.4 | 5.4 | 1mo ago | The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This… | |||
| CVE-2026-40201 | medium | 5.4 | 5.4 | 1mo ago | @diplodoc/search-extension allows stored XSS via Markdown file title | |||
| CVE-2026-7502 | medium | 5.4 | 5.4 | 1mo ago | A security vulnerability has been detected in LinkStackOrg LinkStack up to 4.8.6. The affected element is the function saveLink of the file app/Http/Controllers/UserController.php of the component Ma… | |||
| CVE-2026-36766 | medium | 5.4 | 5.4 | 1mo ago | Shopizer is vulnerable to Cross-site Scripting | |||
| CVE-2026-41519 | medium | 5.4 | 5.4 | 1mo ago | Weblate Doesn't Invalidate API Token on Password Change | |||
| CVE-2026-36756 | medium | 5.4 | 5.4 | 1mo ago | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | |||
| CVE-2026-7500 | medium | 5.4 | 5.4 | 1mo ago | Keycloak has a Forced Browsing issue | |||
| CVE-2026-1493 | medium | 5.4 | 5.4 | 1mo ago | LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript … | |||
| CVE-2026-40230 | medium | 5.4 | 5.4 | 1mo ago | Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or Jav… | |||
| CVE-2026-40229 | medium | 5.4 | 5.4 | 1mo ago | Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered une… | |||
| CVE-2026-42641 | medium | 5.4 | 5.4 | 1mo ago | Server-Side Request Forgery (SSRF) vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through <= 2.14. | |||
| CVE-2026-40296 | medium | 5.4 | 5.4 | 1mo ago | PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer | |||
| CVE-2026-35453 | medium | 5.4 | 5.4 | 1mo ago | PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer | |||
| CVE-2026-42421 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Existing WS sessions survive shared gateway token rotation | |||
| CVE-2026-41916 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: resolvedAuth closure becomes stale after config reload | |||
| CVE-2026-41406 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Feishu thread history and quoted messages bypass sender allowlist | |||
| CVE-2026-41402 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass | |||
| CVE-2026-41382 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps | |||
| CVE-2026-41381 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Discord voice manager bypasses channel-level member access allowlist | |||
| CVE-2026-38948 | medium | 5.4 | 5.4 | 1mo ago | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-priv… | |||
| CVE-2026-5306 | medium | 5.4 | 5.4 | 1mo ago | The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting … | |||
| CVE-2026-41365 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API | |||
| CVE-2026-5362 | medium | 5.4 | 5.4 | 1mo ago | Pimcore has an authenticated Cross-site Scripting issue | |||
| CVE-2026-7024 | medium | 5.4 | 5.4 | 1mo ago | A flaw has been found in rawchen sims up to 004f783b1db5ecdfad81c8fdc3b34171211112de. Affected by this issue is some unknown functionality of the file sims-master/src/web/servlet/file/DeleteFileServl… | |||
| CVE-2026-41425 | medium | 5.4 | 5.4 | 1mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vuln… | |||
| CVE-2026-42042 | medium | 5.4 | 5.4 | 1mo ago | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion | |||
| CVE-2026-25720 | medium | 5.4 | 5.4 | 1mo ago | A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requi… | |||
| CVE-2026-41358 | medium | 5.4 | 5.4 | 1mo ago | OpenClaw: Slack thread context could include messages from non-allowlisted senders |