CVEs from 2026
Total
13,334
critical
critical 1,115
high
high 3,948
medium
medium 3,989
low
low 416
% Critical
8.4%
% with KEV
0.4%
% with exploit
0.4%
Top products
- chrome 299
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-34659 | critical | 9.6 | 9.6 | 16d ago | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current … | |
| CVE-2026-42048 | critical | 9.6 | 9.6 | 16d ago | Langflow Knowledge Bases API is Vulnerable to Path Traversal | |
| CVE-2026-8043 | critical | 9.6 | 9.6 | 16d ago | External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to … | |
| CVE-2026-34263 | critical | 9.6 | 9.6 | 17d ago | Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to hi… | |
| CVE-2026-34260 | critical | 9.6 | 9.6 | 17d ago | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The applica… | |
| CVE-2026-43899 | critical | 9.6 | 9.6 | 17d ago | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerabl… | |
| CVE-2026-44336 | critical | 9.6 | 9.6 | 20d ago | PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection | |
| CVE-2026-43944 | critical | 9.6 | 9.6 | 21d ago | Electerm users can run dangrous code through link or command line | |
| CVE-2026-43941 | critical | 9.6 | 9.6 | 21d ago | Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click | |
| CVE-2026-42880 | critical | 9.6 | 9.6 | 21d ago | ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction | |
| CVE-2026-35428 | critical | 9.6 | 9.6 | 21d ago | Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-6795 | critical | 9.6 | 9.6 | 21d ago | URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 befor… | |
| CVE-2026-41589 | critical | 9.6 | 9.6 | 21d ago | Wish has SCP Path Traversal that allows arbitrary file read/write | |
| CVE-2026-44112 | critical | 9.6 | 9.6 | 22d ago | OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root | |
| CVE-2026-43581 | critical | 9.6 | 9.6 | 22d ago | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools proto… | |
| CVE-2026-7910 | critical | 9.6 | 9.6 | 22d ago | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security… | |
| CVE-2026-7908 | critical | 9.6 | 9.6 | 22d ago | Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | |
| CVE-2026-42235 | critical | 9.6 | 9.6 | 24d ago | n8n Vulnerable to XSS via MCP OAuth client | |
| CVE-2026-42090 | critical | 9.6 | 9.6 | 24d ago | Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in th… | |
| CVE-2026-36760 | critical | 9.6 | 9.6 | 28d ago | An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files w… | |
| CVE-2026-5166 | critical | 9.6 | 9.6 | 29d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Path Traversal. … | |
| CVE-2026-7333 | critical | 9.6 | 9.6 | 1mo ago | Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | |
| CVE-2026-41397 | critical | 9.6 | 9.6 | 1mo ago | OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal | |
| CVE-2026-24303 | critical | 9.6 | 9.6 | 1mo ago | Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. | |
| CVE-2026-6920 | critical | 9.6 | 9.6 | 1mo ago | Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted … | |
| CVE-2026-6919 | critical | 9.6 | 9.6 | 1mo ago | Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.… | |
| CVE-2026-42087 | critical | 9.6 | 9.6 | 1mo ago | OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database | |
| CVE-2026-6356 | critical | 9.6 | 9.6 | 1mo ago | A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitiv… | |
| CVE-2026-5845 | critical | 9.6 | 9.6 | 1mo ago | An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the int… | |
| CVE-2026-6296 | critical | 9.6 | 9.6 | 1mo ago | Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| CVE-2026-27303 | critical | 9.6 | 9.6 | 1mo ago | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Ex… | |
| CVE-2026-6068 | critical | 9.6 | 9.6 | 2mo ago | NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response… | |
| CVE-2026-34430 | critical | 9.6 | 9.6 | 2mo ago | ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing re… | |
| CVE-2026-22208 | critical | 9.6 | 9.6 | 3mo ago | OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua u… | |
| CVE-2026-46621 | critical | — | 9.5 | 20h ago | Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection | |
| CVE-2026-46562 | critical | — | 9.5 | 20h ago | Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override | |
| CVE-2026-25879 | critical | — | 9.5 | 23h ago | Langroid has Prompt to SQL Injection, Leading to RCE | |
| CVE-2026-45618 | critical | — | 9.5 | 1d ago | LiquidJS is Vulnerable to Remote Code Execution | |
| CVE-2026-44632 | critical | — | 9.5 | 2d ago | Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` | |
| CVE-2026-46716 | critical | — | 9.5 | 6d ago | Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron | |
| CVE-2026-46670 | critical | — | 9.5 | 6d ago | YesWiki: Unauthenticated SQL Injection | |
| CVE-2026-46614 | critical | — | 9.5 | 7d ago | Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger | |
| CVE-2026-33137 | critical | — | 9.5 | 8d ago | XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} | |
| CVE-2026-23734 | critical | — | 9.5 | 8d ago | XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash | |
| CVE-2026-46421 | critical | — | 9.5 | 8d ago | Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service) | |
| CVE-2026-46633 | critical | — | 9.5 | 8d ago | Twig: PHP code injection via `{% use %}` template name | |
| CVE-2026-46412 | critical | — | 9.5 | 9d ago | Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm | |
| CVE-2026-46354 | critical | — | 9.5 | 9d ago | Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft | |
| CVE-2026-46339 | critical | — | 9.5 | 9d ago | 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes | |
| CVE-2026-45695 | critical | — | 9.5 | 9d ago | Kopia: RCE via SSH ProxyCommand Injection | |
| CVE-2026-45758 | critical | — | 9.5 | 9d ago | Malicious code in guardrails-ai 0.10.1 (supply chain compromise) | |
| CVE-2026-45568 | critical | — | 9.5 | 9d ago | rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths | |
| CVE-2026-46395 | critical | — | 9.5 | 9d ago | HAXcms: Private Key Disclosure via Broken HMAC Implementation | |
| CVE-2026-45697 | critical | — | 9.5 | 10d ago | Formie: Pre-authenticated server-side template injection in Hidden fields | |
| CVE-2026-45625 | critical | — | 9.5 | 10d ago | Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs | |
| CVE-2026-46703 | critical | — | 9.5 | 13d ago | Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host | |
| CVE-2026-46695 | critical | — | 9.5 | 13d ago | BoxLite: Permission Bypass Allows Modification of Read-Only Files | |
| CVE-2026-45288 | critical | — | 9.5 | 14d ago | Marten has an injection vulnerability in its full-text search regConfig parameter | |
| CVE-2026-45353 | critical | — | 9.5 | 14d ago | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0. | |
| CVE-2026-45058 | critical | — | 9.5 | 14d ago | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync… | |
| CVE-2026-44670 | critical | — | 9.5 | 14d ago | SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE | |
| CVE-2026-44588 | critical | — | 9.5 | 14d ago | SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) | |
| CVE-2026-44990 | critical | — | 9.5 | 14d ago | Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` | |
| CVE-2026-44849 | critical | — | 9.5 | 14d ago | Portainer has an endpoint security bypass via Swarm service create/update | |
| CVE-2026-44848 | critical | — | 9.5 | 14d ago | Portainer missing authorization on Docker plugin endpoints, which allows host RCE | |
| CVE-2026-44791 | critical | — | 9.5 | 14d ago | n8n Has an XML Node Prototype Pollution Patch Bypass | |
| CVE-2026-44790 | critical | — | 9.5 | 14d ago | n8n Has an Arbitrary File Read via Git Node | |
| CVE-2026-44789 | critical | — | 9.5 | 14d ago | n8n: HTTP Request Node Pagination Prototype Pollution to RCE | |
| CVE-2026-46442 | critical | — | 9.5 | 14d ago | FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape | |
| CVE-2026-44364 | critical | — | 9.5 | 15d ago | misp-modules website - Missing CSRF protection in the website home blueprint | |
| CVE-2026-44672 | critical | — | 9.5 | 16d ago | mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dyna… | |
| CVE-2026-44650 | critical | — | 9.5 | 16d ago | SillyTavern has a Path Traversal issue | |
| CVE-2026-44649 | critical | — | 9.5 | 16d ago | SillyTavern has Authentication Bypass via SSO Header Injection | |
| CVE-2026-44593 | critical | — | 9.5 | 16d ago | esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ulti… | |
| CVE-2026-42300 | critical | — | 9.5 | 16d ago | DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header | |
| CVE-2026-42074 | critical | — | 9.5 | 16d ago | OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input | |
| CVE-2026-27478 | critical | — | 9.5 | 17d ago | Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation | |
| CVE-2026-44477 | critical | — | 9.5 | 17d ago | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as t… | |
| CVE-2026-42571 | critical | — | 9.5 | 19d ago | Pelican Web UI Affected by a Privilege Escalation Attack | |
| CVE-2026-44211 | critical | — | 9.5 | 20d ago | Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability | |
| CVE-2026-41586 | critical | — | 9.5 | 22d ago | fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE | |
| CVE-2026-41203 | critical | — | 9.5 | 22d ago | CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE | |
| CVE-2026-41202 | critical | — | 9.5 | 22d ago | CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE | |
| CVE-2026-42196 | critical | — | 9.5 | 23d ago | django-s3file is vulnerable to relative path traversal | |
| CVE-2026-42155 | critical | — | 9.5 | 23d ago | Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs | |
| CVE-2026-25660 | critical | — | 9.5 | 23d ago | Codechecker has an authentication bypass for certain API calls | |
| CVE-2026-41176 | critical | — | 9.5 | 1mo ago | Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution | |
| CVE-2026-41242 | critical | — | 9.5 | 1mo ago | Arbitrary code execution in protobufjs | |
| CVE-2026-32179 | critical | — | 9.5 | 1mo ago | MsQuic has a Remote Elevation of Privilege Vulnerability | |
| CVE-2026-23891 | critical | — | 9.5 | 2mo ago | Decidim has a cross-site scripting (XSS) in user name | |
| CVE-2026-4631 | critical | — | 9.5 | 2mo ago | Critical: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection | |
| CVE-2026-29145 | critical | — | 9.5 | 2mo ago | Apache Tomcat: CLIENT_CERT authentication does not fail as expected | |
| CVE-2026-39890 | critical | — | 9.5 | 2mo ago | PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading | |
| CVE-2026-39324 | critical | — | 9.5 | 2mo ago | Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization | |
| CVE-2026-35035 | critical | — | 9.5 | 2mo ago | CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS | |
| CVE-2026-0596 | critical | — | 9.5 | 2mo ago | Mlflow: Command Injection when serving models with enable_mlserver=True | |
| CVE-2026-1709 | critical | — | 9.5 | 4mo ago | Critical: keylime security update | |
| CVE-2026-44315 | critical | 9.4 | 9.4 | 1d ago | free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions | |
| CVE-2026-44326 | critical | 9.4 | 9.4 | 1d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attac… | |
| CVE-2026-41948 | critical | 9.4 | 9.4 | 10d ago | Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficie… |