CVEs from 2026
Total
14,003
critical
critical 1,216
high
high 4,577
medium
medium 4,408
low
low 483
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 503
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34515 | unknown | — | — | 2mo ago | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This… | |||
| CVE-2026-34514 | unknown | — | — | 2mo ago | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra … | |||
| CVE-2026-34513 | unknown | — | — | 2mo ago | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situ… | |||
| CVE-2026-22815 | unknown | — | — | 2mo ago | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This i… | |||
| CVE-2026-28868 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28865 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28880 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28867 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28879 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-20690 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-20668 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20637 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28866 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28852 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28886 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28864 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-20687 | unknown | — | — | 2mo ago | watchOS 26.4 | |||
| CVE-2026-28876 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-34237 | unknown | — | — | 2mo ago | MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) | |||
| CVE-2026-34361 | unknown | — | — | 2mo ago | FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft | |||
| CVE-2026-34360 | unknown | — | — | 2mo ago | FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing | |||
| CVE-2026-34359 | unknown | — | — | 2mo ago | HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect | |||
| CVE-2026-34165 | unknown | — | — | 2mo ago | go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can ca… | |||
| CVE-2026-33762 | unknown | — | — | 2mo ago | go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applyi… | |||
| CVE-2026-34214 | unknown | — | — | 2mo ago | Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON | |||
| CVE-2026-28367 | unknown | — | — | 2mo ago | Undertow is Vulnerable to HTTP Request/Response Smuggling | |||
| CVE-2026-28369 | unknown | — | — | 2mo ago | Undertow is Vulnerable to HTTP Request/Response Smuggling | |||
| CVE-2026-28368 | unknown | — | — | 2mo ago | Undertow is Vulnerable to HTTP Request/Response Smuggling | |||
| CVE-2026-33997 | unknown | — | — | 2mo ago | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. D… | |||
| CVE-2026-33945 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Pri… | |||
| CVE-2026-33898 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value wil… | |||
| CVE-2026-33897 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for po… | |||
| CVE-2026-33743 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to cras… | |||
| CVE-2026-33711 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is … | |||
| CVE-2026-33542 | unknown | — | — | 2mo ago | Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to ima… | |||
| CVE-2026-22743 | unknown | — | — | 2mo ago | Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter | |||
| CVE-2026-22744 | unknown | — | — | 2mo ago | Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters | |||
| CVE-2026-3190 | unknown | — | — | 2mo ago | Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure | |||
| CVE-2026-3121 | unknown | — | — | 2mo ago | Keycloak: manage-clients permission escalates to full realm admin access | |||
| CVE-2026-33536 | unknown | — | — | 2mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incr… | |||
| CVE-2026-33871 | unknown | — | — | 2mo ago | Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass | |||
| CVE-2026-33870 | unknown | — | — | 2mo ago | Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing | |||
| CVE-2026-33748 | unknown | — | — | 2mo ago | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir comp… | |||
| CVE-2026-33747 | unknown | — | — | 2mo ago | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can… | |||
| CVE-2026-33535 | unknown | — | — | 2mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` inter… | |||
| CVE-2026-33728 | unknown | — | — | 2mo ago | dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution | |||
| CVE-2026-33701 | unknown | — | — | 2mo ago | OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution | |||
| CVE-2026-27889 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSock… | |||
| CVE-2026-33248 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to der… | |||
| CVE-2026-33246 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. Th… | |||
| CVE-2026-33223 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a … | |||
| CVE-2026-33222 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could… | |||
| CVE-2026-33219 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can c… | |||
| CVE-2026-33218 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nat… | |||
| CVE-2026-33217 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied … | |||
| CVE-2026-33216 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords ar… | |||
| CVE-2026-33215 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and M… | |||
| CVE-2026-29785 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not … | |||
| CVE-2026-33247 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients p… | |||
| CVE-2026-33249 | unknown | — | — | 2mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message … | |||
| CVE-2026-32948 | unknown | — | — | 2mo ago | sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows | |||
| CVE-2026-32642 | unknown | — | — | 2mo ago | Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol | |||
| CVE-2026-3260 | unknown | — | — | 2mo ago | Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests | |||
| CVE-2026-22739 | unknown | — | — | 2mo ago | Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access | |||
| CVE-2026-20697 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20607 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28831 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20660 | unknown | — | — | 2mo ago | macOS Sequoia 15.7.5 | |||
| CVE-2026-20692 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20694 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20701 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28839 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28825 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20633 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28823 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-20651 | unknown | — | — | 2mo ago | macOS Sequoia 15.7.5 | |||
| CVE-2026-28862 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28818 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28828 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28889 | unknown | — | — | 2mo ago | Xcode 26.4 | |||
| CVE-2026-28816 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28888 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28874 | unknown | — | — | 2mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-20639 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28858 | unknown | — | — | 2mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-28835 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28856 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-20693 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28842 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28817 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28881 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28824 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28845 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-20631 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28822 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28820 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28837 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-20632 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28844 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-28841 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 |