CVEs from 2026
Total
14,036
critical
critical 1,220
high
high 4,601
medium
medium 4,425
low
low 483
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 505
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28862 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28888 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20633 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20692 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20660 | unknown | — | — | 2mo ago | macOS Sequoia 15.7.5 | |||
| CVE-2026-20697 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28828 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28822 | unknown | — | — | 2mo ago | visionOS 26.4 | |||
| CVE-2026-28816 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20694 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-20701 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28823 | unknown | — | — | 2mo ago | macOS Tahoe 26.4 | |||
| CVE-2026-20651 | unknown | — | — | 2mo ago | macOS Sequoia 15.7.5 | |||
| CVE-2026-28895 | unknown | — | — | 2mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-28875 | unknown | — | — | 2mo ago | iOS 26.4 and iPadOS 26.4 | |||
| CVE-2026-28839 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-28831 | unknown | — | — | 2mo ago | macOS Sonoma 14.8.5 | |||
| CVE-2026-4633 | unknown | — | — | 2mo ago | Keycloak's identity-first login flow exposes user information | |||
| CVE-2026-4628 | unknown | — | — | 2mo ago | Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false | |||
| CVE-2026-33413 | unknown | — | — | 2mo ago | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call … | |||
| CVE-2026-33343 | unknown | — | — | 2mo ago | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use n… | |||
| CVE-2026-22735 | unknown | — | — | 3mo ago | Spring MVC and WebFlux has Server Sent Event stream corruption | |||
| CVE-2026-22732 | unknown | — | — | 3mo ago | Spring Security HTTP Headers Are not Written Under Some Conditions | |||
| CVE-2026-22737 | unknown | — | — | 3mo ago | Spring Framework Improper Path Limitation with Script View Templates | |||
| CVE-2026-22731 | unknown | — | — | 3mo ago | Spring Boot has an Authentication Bypass under Actuator Health groups paths | |||
| CVE-2026-22733 | unknown | — | — | 3mo ago | Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints | |||
| CVE-2026-27953 | unknown | — | — | 3mo ago | ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validat… | |||
| CVE-2026-33056 | unknown | — | — | 3mo ago | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path t… | |||
| CVE-2026-32735 | unknown | — | — | 3mo ago | openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project… | |||
| CVE-2026-33166 | unknown | — | — | 3mo ago | Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers) | |||
| CVE-2026-33001 | unknown | — | — | 3mo ago | Jenkins has a link following vulnerability allows arbitrary file creation | |||
| CVE-2026-33002 | unknown | — | — | 3mo ago | Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation | |||
| CVE-2026-33004 | unknown | — | — | 3mo ago | Jenkins LoadNinja Plugin does not mask LoadNinja API keys displayed on the job configuration form | |||
| CVE-2026-33003 | unknown | — | — | 3mo ago | Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files | |||
| CVE-2026-32284 | unknown | — | — | 3mo ago | Denial of service in github.com/shamaton/msgpack | |||
| CVE-2026-22730 | unknown | — | — | 3mo ago | SQL Injection in Spring AI MariaDBFilterExpressionConverter | |||
| CVE-2026-22729 | unknown | — | — | 3mo ago | JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter | |||
| CVE-2026-2575 | unknown | — | — | 3mo ago | Keycloak: Denial of Service due to excessive SAMLRequest decompression | |||
| CVE-2026-2092 | unknown | — | — | 3mo ago | Keycloak: Unauthorized access via improper validation of encrypted SAML assertions | |||
| CVE-2026-33012 | unknown | — | — | 3mo ago | Micronaut Framework vulnerable to a Denial of Service in HTML error response caching | |||
| CVE-2026-32636 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due t… | |||
| CVE-2026-33013 | unknown | — | — | 3mo ago | Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices | |||
| CVE-2026-32722 | unknown | — | — | 3mo ago | Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no esc… | |||
| CVE-2026-28498 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation… | |||
| CVE-2026-28490 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning… | |||
| CVE-2026-27962 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attac… | |||
| CVE-2026-25534 | unknown | — | — | 3mo ago | Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames | |||
| CVE-2026-30937 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a 32-bit unsigned integer overflow in the XWD (X Windows) enco… | |||
| CVE-2026-30936 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a crafted image could cause an out of bounds heap write inside… | |||
| CVE-2026-30935 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImage contains a heap buffer over-read caused by an incorrect c… | |||
| CVE-2026-30931 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncatio… | |||
| CVE-2026-30929 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a spec… | |||
| CVE-2026-28693 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds r… | |||
| CVE-2026-28691 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in t… | |||
| CVE-2026-28690 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encode… | |||
| CVE-2026-28688 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder,… | |||
| CVE-2026-28687 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decod… | |||
| CVE-2026-28686 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, A heap-buffer-overflow vulnerability exists in the PCL encode … | |||
| CVE-2026-28494 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology ker… | |||
| CVE-2026-28493 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, an integer overflow vulnerability exists in the SIXEL decoer. The vulnerabil… | |||
| CVE-2026-26284 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huf… | |||
| CVE-2026-25986 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVIm… | |||
| CVE-2026-25982 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap out-of-bounds read vulnerability exists in the `coders/… | |||
| CVE-2026-25971 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs… | |||
| CVE-2026-25970 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL… | |||
| CVE-2026-25968 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribut… | |||
| CVE-2026-2366 | unknown | — | — | 3mo ago | Keycloak vulnerable to authorization bypass via the Admin API | |||
| CVE-2026-3429 | unknown | — | — | 3mo ago | Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API | |||
| CVE-2026-31853 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when… | |||
| CVE-2026-30883 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overfl… | |||
| CVE-2026-28692 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MAT decoder uses 32-bit arithmetic due to incorrect parenthesi… | |||
| CVE-2026-28689 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/… | |||
| CVE-2026-23907 | unknown | — | — | 3mo ago | Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function | |||
| CVE-2026-24713 | unknown | — | — | 3mo ago | Apache IoTDB has an Improper Input Validation vulnerability | |||
| CVE-2026-24015 | unknown | — | — | 3mo ago | Apache IoTDB has an Insecure Default Configuration Vulnerability | |||
| CVE-2026-24281 | unknown | — | — | 3mo ago | Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager | |||
| CVE-2026-24308 | unknown | — | — | 3mo ago | Apache ZooKeeper has improper handling of configuration values | |||
| CVE-2026-3047 | unknown | — | — | 3mo ago | Keycloak SAML Broken has Authentication Bypass by Primary Weakness | |||
| CVE-2026-3009 | unknown | — | — | 3mo ago | Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator | |||
| CVE-2026-1605 | unknown | — | — | 3mo ago | The Eclipse Jetty Server Artifact has a Gzip request memory leak | |||
| CVE-2026-29000 | unknown | — | — | 3mo ago | pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT | |||
| CVE-2026-29062 | unknown | — | — | 3mo ago | jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion | |||
| CVE-2026-28802 | unknown | — | — | 3mo ago | Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an emp… | |||
| CVE-2026-3351 | unknown | — | — | 3mo ago | Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd se… | |||
| CVE-2026-0540 | unknown | — | — | 3mo ago | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five … | |||
| CVE-2026-27932 | unknown | — | — | 3mo ago | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows… | |||
| CVE-2026-28338 | unknown | — | — | 3mo ago | PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages | |||
| CVE-2026-28208 | unknown | — | — | 3mo ago | Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix | |||
| CVE-2026-21619 | unknown | — | — | 3mo ago | Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Obje… | |||
| CVE-2026-0871 | unknown | — | — | 3mo ago | Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes | |||
| CVE-2026-27799 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image… | |||
| CVE-2026-27798 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing a… | |||
| CVE-2026-27830 | unknown | — | — | 3mo ago | c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property | |||
| CVE-2026-27727 | unknown | — | — | 3mo ago | mchange-commons-java: Remote Code Execution via JNDI Reference Resolution | |||
| CVE-2026-27571 | unknown | — | — | 3mo ago | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated comp… | |||
| CVE-2026-26983 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` … | |||
| CVE-2026-26283 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop i… | |||
| CVE-2026-26066 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infin… | |||
| CVE-2026-25989 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-on… | |||
| CVE-2026-25988 | unknown | — | — | 3mo ago | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image i… |