CVEs from 2026
Total
14,170
critical
critical 1,106
high
high 3,897
medium
medium 3,929
low
low 413
% Critical
7.8%
% with KEV
0.4%
% with exploit
0.4%
Top products
- chrome 298
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- openclaw 166
- gcp 135
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-44069 | low | 3.9 | 3.9 | 7d ago | An integer underflow in the volxlate function in Netatalk 3.0.0 through 4.4.2 allows a local privileged user to obtain limited information, modify limited data, or cause a minor service disruption vi… | |
| CVE-2026-27964 | low | 3.9 | 3.9 | 20d ago | FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation | |
| CVE-2026-44410 | low | 3.8 | 3.8 | 2d ago | This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out ma… | |
| CVE-2026-6923 | low | 3.8 | 3.8 | 13d ago | A side-channel attack, which requires a physical presence to the TPM, can lead to extraction of an Elliptic Curve Diffie-Hellman (ECDH) key. | |
| CVE-2026-33585 | low | 3.8 | 3.8 | 14d ago | Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.… | |
| CVE-2026-44459 | low | 3.8 | 3.8 | 14d ago | Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() | |
| CVE-2026-34094 | low | 3.8 | 3.8 | 16d ago | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. | |
| CVE-2026-44987 | low | 3.8 | 3.8 | 19d ago | SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If th… | |
| CVE-2026-4222 | low | 3.8 | 3.8 | 2mo ago | A vulnerability was determined in SSCMS up to 7.4.0. This vulnerability affects the function PathUtils.RemoveParentPath of the file /api/admin/plugins/install/actions/download. This manipulation of t… | |
| CVE-2026-4044 | low | 3.8 | 3.8 | 3mo ago | A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument … | |
| CVE-2026-22411 | low | 3.8 | 3.8 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dolcino: fro… | |
| CVE-2026-22409 | low | 3.8 | 3.8 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: … | |
| CVE-2026-22407 | low | 3.8 | 3.8 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a thr… | |
| CVE-2026-22406 | low | 3.8 | 3.8 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: fro… | |
| CVE-2026-22404 | low | 3.8 | 3.8 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: fro… | |
| CVE-2026-42082 | low | 3.7 | 3.7 | 7h ago | Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover | |
| CVE-2026-44474 | low | 3.7 | 3.7 | 8h ago | Ella Core has handover failures during concurrent Security Mode Command | |
| CVE-2026-48852 | low | 3.7 | 3.7 | 2d ago | PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification. | |
| CVE-2026-48847 | low | 3.7 | 3.7 | 2d ago | Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | |
| CVE-2026-9396 | low | 3.7 | 3.7 | 3d ago | A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulat… | |
| CVE-2026-9373 | low | 3.7 | 3.7 | 4d ago | A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authent… | |
| CVE-2026-9370 | low | 3.7 | 3.7 | 4d ago | A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/… | |
| CVE-2026-9306 | low | 3.7 | 3.7 | 4d ago | A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjou… | |
| CVE-2026-7837 | low | 3.7 | 3.7 | 7d ago | A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited da… | |
| CVE-2026-44075 | low | 3.7 | 3.7 | 7d ago | A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session op… | |
| CVE-2026-44074 | low | 3.7 | 3.7 | 7d ago | Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker… | |
| CVE-2026-44071 | low | 3.7 | 3.7 | 7d ago | Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of servic… | |
| CVE-2026-45232 | low | 3.7 | 3.7 | 8d ago | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memor… | |
| CVE-2026-8491 | low | 3.7 | 3.7 | 8d ago | Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is … | |
| CVE-2026-8803 | low | 3.7 | 3.7 | 9d ago | A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation cau… | |
| CVE-2026-44589 | low | 3.7 | 3.7 | 13d ago | nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) | |
| CVE-2026-44582 | low | 3.7 | 3.7 | 14d ago | Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting | |
| CVE-2026-44242 | low | 3.7 | 3.7 | 15d ago | Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header | |
| CVE-2026-44219 | low | 3.7 | 3.7 | 15d ago | ciguard: SCA HTTP client reads response body without size cap | |
| CVE-2026-43514 | low | 3.7 | 3.7 | 15d ago | Apache Tomcat - AJP secret compared in non-constant time | |
| CVE-2026-42874 | low | 3.7 | 3.7 | 16d ago | Microdot has HTTP response splitting in Response.set_cookie() | |
| CVE-2026-44996 | low | 3.7 | 3.7 | 16d ago | OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence ag… | |
| CVE-2026-8276 | low | 3.7 | 3.7 | 17d ago | bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go | |
| CVE-2026-8275 | low | 3.7 | 3.7 | 17d ago | bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function | |
| CVE-2026-8242 | low | 3.7 | 3.7 | 18d ago | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results… | |
| CVE-2026-8196 | low | 3.7 | 3.7 | 18d ago | A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginControlle… | |
| CVE-2026-8028 | low | 3.7 | 3.7 | 21d ago | A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Perf… | |
| CVE-2026-43863 | low | 3.7 | 3.7 | 24d ago | mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c. | |
| CVE-2026-43862 | low | 3.7 | 3.7 | 24d ago | In mutt before 2.3.2, the imap_auth_gss security level is mishandled. | |
| CVE-2026-43861 | low | 3.7 | 3.7 | 24d ago | mutt before 2.3.2 does not check for '\0' in url_pct_decode. | |
| CVE-2026-43860 | low | 3.7 | 3.7 | 24d ago | mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest. | |
| CVE-2026-43859 | low | 3.7 | 3.7 | 24d ago | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | |
| CVE-2026-7689 | low | 3.7 | 3.7 | 24d ago | Dolibarr has Insufficient Verification of Data Authenticity | |
| CVE-2026-7671 | low | 3.7 | 3.7 | 25d ago | A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restr… | |
| CVE-2026-41263 | low | 3.7 | 3.7 | 27d ago | Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware | |
| CVE-2026-3832 | low | 3.7 | 3.7 | 27d ago | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a lo… | |
| CVE-2026-7303 | low | 3.7 | 3.7 | 29d ago | xxl-job has a Resource Injection issue | |
| CVE-2026-41913 | low | 3.7 | 3.7 | 29d ago | OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths | |
| CVE-2026-7103 | low | 3.7 | 3.7 | 1mo ago | A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Passw… | |
| CVE-2026-7041 | low | 3.7 | 3.7 | 1mo ago | A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation… | |
| CVE-2026-7020 | low | 3.7 | 3.7 | 1mo ago | Ollama is Vulnerable to Path Traversal | |
| CVE-2026-6986 | low | 3.7 | 3.7 | 1mo ago | A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Han… | |
| CVE-2026-42040 | low | 3.7 | 3.7 | 1mo ago | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams | |
| CVE-2026-41333 | low | 3.7 | 3.7 | 1mo ago | OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting | |
| CVE-2026-40279 | low | 3.7 | 3.7 | 1mo ago | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes … | |
| CVE-2026-6610 | low | 3.7 | 3.7 | 1mo ago | A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipula… | |
| CVE-2026-40194 | low | 3.7 | 3.7 | 2mo ago | phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() | |
| CVE-2026-5682 | low | 3.7 | 3.7 | 2mo ago | A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation lea… | |
| CVE-2026-5622 | low | 3.7 | 3.7 | 2mo ago | A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component J… | |
| CVE-2026-5413 | low | 3.7 | 3.7 | 2mo ago | A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argum… | |
| CVE-2026-5360 | low | 3.7 | 3.7 | 2mo ago | A vulnerability has been found in Free5GC 4.2.0. The affected element is an unknown function of the component aper. Such manipulation leads to type confusion. The attack may be launched remotely. Thi… | |
| CVE-2026-4831 | low | 3.7 | 3.7 | 2mo ago | A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protecte… | |
| CVE-2026-4588 | low | 3.7 | 3.7 | 2mo ago | A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-le… | |
| CVE-2026-4115 | low | 3.7 | 3.7 | 2mo ago | A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verific… | |
| CVE-2026-4045 | low | 3.7 | 3.7 | 3mo ago | A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable re… | |
| CVE-2026-3963 | low | 3.7 | 3.7 | 3mo ago | A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component A… | |
| CVE-2026-2968 | low | 3.7 | 3.7 | 3mo ago | A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handle… | |
| CVE-2026-2967 | low | 3.7 | 3.7 | 3mo ago | A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulat… | |
| CVE-2026-2966 | low | 3.7 | 3.7 | 3mo ago | A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipu… | |
| CVE-2026-2215 | low | 3.7 | 3.7 | 4mo ago | A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of th… | |
| CVE-2026-41962 | low | 3.6 | 3.6 | 13d ago | Permission control vulnerability in the app management and control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |
| CVE-2026-42448 | low | 3.5 | 3.5 | 1d ago | Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed | |
| CVE-2026-9485 | low | 3.5 | 3.5 | 2d ago | A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument … | |
| CVE-2026-9471 | low | 3.5 | 3.5 | 2d ago | A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation… | |
| CVE-2026-9414 | low | 3.5 | 3.5 | 3d ago | A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice … | |
| CVE-2026-48832 | low | 3.5 | 3.5 | 3d ago | action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability. | |
| CVE-2026-9395 | low | 3.5 | 3.5 | 3d ago | A vulnerability was identified in Besen BS20 EV Charging Station up to 20260426. Affected is an unknown function of the component BLE/UDP. The manipulation leads to insufficiently protected credentia… | |
| CVE-2026-9357 | low | 3.5 | 3.5 | 4d ago | A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack r… | |
| CVE-2026-4643 | low | 3.5 | 3.5 | 10d ago | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server … | |
| CVE-2026-45316 | low | 3.5 | 3.5 | 12d ago | Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) | |
| CVE-2026-45803 | low | 3.5 | 3.5 | 12d ago | GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection | |
| CVE-2026-45781 | low | 3.5 | 3.5 | 13d ago | MCP Registry: OCI validator skips ownership check on upstream rate limits | |
| CVE-2026-7471 | low | 3.5 | 3.5 | 14d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control o… | |
| CVE-2026-8232 | low | 3.5 | 3.5 | 18d ago | A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The ma… | |
| CVE-2026-7677 | low | 3.5 | 3.5 | 25d ago | A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNotic… | |
| CVE-2026-7501 | low | 3.5 | 3.5 | 27d ago | A weakness has been identified in LinkStackOrg LinkStack up to 4.8.6. Impacted is the function editPage of the file app/Http/Controllers/UserController.php. Executing a manipulation of the argument p… | |
| CVE-2026-41663 | low | 3.5 | 3.5 | 28d ago | Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send | |
| CVE-2026-7390 | low | 3.5 | 3.5 | 28d ago | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. The impacted element is the function Customer of the file /index.php?page=customer. The manipulation of the arg… | |
| CVE-2026-7222 | low | 3.5 | 3.5 | 1mo ago | A vulnerability was determined in code-projects Coaching Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /cims/modules/student/complaint.php of the compo… | |
| CVE-2026-7110 | low | 3.5 | 3.5 | 1mo ago | A flaw has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /item. Executing a manipulation of the argument item name/description can lead to cro… | |
| CVE-2026-7021 | low | 3.5 | 3.5 | 1mo ago | A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the arg… | |
| CVE-2026-6990 | low | 3.5 | 3.5 | 1mo ago | A vulnerability was found in projeto-siga siga 11.0.3.18. The affected element is an unknown function of the file /sigawf/app/responsavel/novo. Performing a manipulation of the argument Nome/Descriçã… | |
| CVE-2026-6745 | low | 3.5 | 3.5 | 1mo ago | Bagisto affected by Cross-site Scripting | |
| CVE-2026-6743 | low | 3.5 | 3.5 | 1mo ago | A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may be initiated rem… | |
| CVE-2026-6648 | low | 3.5 | 3.5 | 1mo ago | A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation results in cross site scripti… |