CVEs from 2026
Total
14,038
critical
critical 1,233
high
high 4,637
medium
medium 4,444
low
low 484
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 239
- openclaw 172
- commerce 104
- commerce_b2b 89
- grafana 80
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48225 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value… | |||
| CVE-2026-48224 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48223 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48222 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48221 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val… | |||
| CVE-2026-48220 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48219 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48218 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an uns… | |||
| CVE-2026-48217 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitiz… | |||
| CVE-2026-48216 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v… | |||
| CVE-2026-48215 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48214 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48213 | medium | 5.4 | 5.4 | 13d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value t… | |||
| CVE-2026-44924 | medium | 5.4 | 5.4 | 14d ago | InfoScale VIOM 9.1.3 allows XSS. | |||
| CVE-2026-9056 | medium | 5.4 | 5.4 | 14d ago | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a differ… | |||
| CVE-2026-6394 | medium | 5.4 | 5.4 | 14d ago | The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due… | |||
| CVE-2026-8493 | medium | 5.4 | 5.4 | 15d ago | This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading … | |||
| CVE-2026-36827 | medium | 5.4 | 5.4 | 15d ago | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters … | |||
| CVE-2026-8922 | medium | 5.4 | 5.4 | 15d ago | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the… | |||
| CVE-2026-45244 | medium | 5.4 | 5.4 | 16d ago | Summarize contains a missing authorization vulnerability | |||
| CVE-2026-45494 | medium | 5.4 | 5.4 | 16d ago | Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||
| CVE-2026-45492 | medium | 5.4 | 5.4 | 16d ago | Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | |||
| CVE-2026-45660 | medium | 5.4 | 5.4 | 16d ago | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't nor… | |||
| CVE-2026-1631 | medium | 5.4 | 5.4 | 16d ago | The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle… | |||
| CVE-2026-45365 | medium | 5.4 | 5.4 | 19d ago | Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] | |||
| CVE-2026-45347 | medium | 5.4 | 5.4 | 19d ago | Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function | |||
| CVE-2026-45346 | medium | 5.4 | 5.4 | 19d ago | Open WebUI Has Stored Cross-Site Scripting in SVG Renderer | |||
| CVE-2026-45318 | medium | 5.4 | 5.4 | 19d ago | Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify) | |||
| CVE-2026-46365 | medium | 5.4 | 5.4 | 19d ago | phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl… | |||
| CVE-2026-46363 | medium | 5.4 | 5.4 | 19d ago | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent… | |||
| CVE-2026-46360 | medium | 5.4 | 5.4 | 19d ago | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san… | |||
| CVE-2026-45396 | medium | 5.4 | 5.4 | 19d ago | Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation | |||
| CVE-2026-44564 | medium | 5.4 | 5.4 | 19d ago | Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO | |||
| CVE-2026-44563 | medium | 5.4 | 5.4 | 19d ago | Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show | |||
| CVE-2026-44561 | medium | 5.4 | 5.4 | 19d ago | Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels | |||
| CVE-2026-44558 | medium | 5.4 | 5.4 | 19d ago | Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants | |||
| CVE-2026-45580 | medium | 5.4 | 5.4 | 19d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … | |||
| CVE-2026-23695 | medium | 5.4 | 5.4 | 19d ago | Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option | |||
| CVE-2026-44310 | medium | 5.4 | 5.4 | 19d ago | Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereference… | |||
| CVE-2026-24662 | medium | 5.4 | 5.4 | 19d ago | Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script … | |||
| CVE-2026-44429 | medium | 5.4 | 5.4 | 20d ago | MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` | |||
| CVE-2026-8561 | medium | 5.4 | 5.4 | 20d ago | Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-8539 | medium | 5.4 | 5.4 | 20d ago | Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-45299 | medium | 5.4 | 5.4 | 20d ago | Open WebUI has Stored Cross-Site Scripting In Profile Picture | |||
| CVE-2026-22707 | medium | 5.4 | 5.4 | 20d ago | Strapi Upload Plugin MIME Validation Bypass via Content API | |||
| CVE-2026-20210 | medium | 5.4 | 5.4 | 20d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify configurations and perform … | |||
| CVE-2026-20209 | medium | 5.4 | 5.4 | 20d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low … | |||
| CVE-2026-42159 | medium | 5.4 | 5.4 | 20d ago | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, whic… | |||
| CVE-2026-6472 | medium | 5.4 | 5.4 | 20d ago | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, t… | |||
| CVE-2026-7481 | medium | 5.4 | 5.4 | 20d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer… | |||
| CVE-2026-7377 | medium | 5.4 | 5.4 | 20d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allow… | |||
| CVE-2026-6335 | medium | 5.4 | 5.4 | 20d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in ano… | |||
| CVE-2026-6073 | medium | 5.4 | 5.4 | 20d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arb… | |||
| CVE-2026-3829 | medium | 5.4 | 5.4 | 20d ago | The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks… | |||
| CVE-2026-44425 | medium | 5.4 | 5.4 | 21d ago | ShellHub has crash-DoS via field injection in filter and sort-by parameters | |||
| CVE-2026-45228 | medium | 5.4 | 5.4 | 21d ago | Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without… | |||
| CVE-2026-44576 | medium | 5.4 | 5.4 | 21d ago | Next.js vulnerable to cache poisoning in React Server Component responses | |||
| CVE-2026-40703 | medium | 5.4 | 5.4 | 21d ago | A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not eval… | |||
| CVE-2026-44794 | medium | 5.4 | 5.4 | 21d ago | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to referen… | |||
| CVE-2026-7051 | medium | 5.4 | 5.4 | 21d ago | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verific… | |||
| CVE-2026-44873 | medium | 5.4 | 5.4 | 22d ago | A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated wh… | |||
| CVE-2026-42838 | medium | 5.4 | 5.4 | 22d ago | Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw… | |||
| CVE-2026-35423 | medium | 5.4 | 5.4 | 22d ago | Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-45210 | medium | 5.4 | 5.4 | 22d ago | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a thr… | |||
| CVE-2026-40132 | medium | 5.4 | 5.4 | 22d ago | Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unaut… | |||
| CVE-2026-0502 | medium | 5.4 | 5.4 | 22d ago | Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This ha… | |||
| CVE-2026-39960 | medium | 5.4 | 5.4 | 23d ago | MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values | |||
| CVE-2026-44998 | medium | 5.4 | 5.4 | 23d ago | OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restr… | |||
| CVE-2026-44993 | medium | 5.4 | 5.4 | 23d ago | OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfo… | |||
| CVE-2026-43638 | medium | 5.4 | 5.4 | 23d ago | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organiz… | |||
| CVE-2026-42857 | medium | 5.4 | 5.4 | 23d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags … | |||
| CVE-2026-38569 | medium | 5.4 | 5.4 | 23d ago | HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add. | |||
| CVE-2026-28819 | medium | 5.4 | 5.4 | 24d ago | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may … | |||
| CVE-2026-44831 | medium | 5.4 | 5.4 | 26d ago | Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) | |||
| CVE-2026-42192 | medium | 5.4 | 5.4 | 26d ago | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email bo… | |||
| CVE-2026-41487 | medium | 5.4 | 5.4 | 26d ago | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An a… | |||
| CVE-2026-42877 | medium | 5.4 | 5.4 | 27d ago | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/Aja… | |||
| CVE-2026-41903 | medium | 5.4 | 5.4 | 27d ago | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) … | |||
| CVE-2026-36341 | medium | 5.4 | 5.4 | 27d ago | Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint | |||
| CVE-2026-36388 | medium | 5.4 | 5.4 | 27d ago | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to … | |||
| CVE-2026-8080 | medium | 5.4 | 5.4 | 27d ago | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-si… | |||
| CVE-2026-8019 | medium | 5.4 | 5.4 | 28d ago | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8015 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8012 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a craft… | |||
| CVE-2026-8008 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome … | |||
| CVE-2026-8006 | medium | 5.4 | 5.4 | 28d ago | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chro… | |||
| CVE-2026-8003 | medium | 5.4 | 5.4 | 28d ago | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security seve… | |||
| CVE-2026-7998 | medium | 5.4 | 5.4 | 28d ago | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HT… | |||
| CVE-2026-7962 | medium | 5.4 | 5.4 | 28d ago | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security s… | |||
| CVE-2026-7958 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UX… | |||
| CVE-2026-7950 | medium | 5.4 | 5.4 | 28d ago | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Mediu… | |||
| CVE-2026-7939 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-7935 | medium | 5.4 | 5.4 | 28d ago | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7931 | medium | 5.4 | 5.4 | 28d ago | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity:… | |||
| CVE-2026-20219 | medium | 5.4 | 5.4 | 28d ago | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has address… | |||
| CVE-2026-36358 | medium | 5.4 | 5.4 | 28d ago | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | |||
| CVE-2026-43879 | medium | 5.4 | 5.4 | 29d ago | AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass | |||
| CVE-2026-42612 | medium | 5.4 | 5.4 | 29d ago | Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes | |||
| CVE-2026-42842 | medium | 5.4 | 5.4 | 29d ago | Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel | |||
| CVE-2026-31835 | medium | 5.4 | 5.4 | 29d ago | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1… |