CVE Vulnerabilities in 2026

3,284 documented vulnerabilities published in 2026.

Other years: 2025 2024 2023 2022 2021 2020
Critical
293
High
1,001
Medium
1,199
Low
159
None
632

Top Affected Vendors in 2026

Openclaw 66 Apache 44 Wireshark 42 Mozilla 40 Google 34 Adobe 27 Flowiseai 18 Vmware 17 Wwbn 14 Orthanc-Server 9 Totolink 9 Bytecodealliance 6 Freebsd 6 Fortra 5 Wazuh 5

All CVEs from 2026

Recent Highest Score Oldest
CVE-2026-26332
9.8 critical

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

May 4, 2026
CVE-2026-25293
9.6 critical

Buffer overflow due to incorrect authorization in PLC FW

May 4, 2026
CVE-2026-25266
5.5 medium

Memory corruption while processing IOCTL command when device is in power-save state.

May 4, 2026
CVE-2026-24781
9.8 critical

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patc

May 4, 2026
CVE-2026-24120
9.8 critical

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3

May 4, 2026
CVE-2026-24118
9.8 critical

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

May 4, 2026
CVE-2026-24082
7.8 high

Memory Corruption when copying data from a freed source while executing performance counter deselect operation.

May 4, 2026
CVE-2025-47408
7.8 high

Memory corruption when another driver calls an IOCTL with invalid input/output buffer.

May 4, 2026
CVE-2025-47407
7.8 high

Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level.

May 4, 2026
CVE-2025-47406
6.1 medium

Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.

May 4, 2026
CVE-2025-47405
7.8 high

Memory corruption when processing camera sensor input/output control codes with invalid output buffers.

May 4, 2026
CVE-2025-47404
6.5 medium

Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.

May 4, 2026
CVE-2025-47403
6.5 medium

Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.

May 4, 2026
CVE-2025-47401
6.5 medium

Transient DOS when processing target power rate tables during channel configuration.

May 4, 2026
CVE-2026-40563
7.1 high

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect

Apache Atlas May 4, 2026
CVE-2026-37458
6.5 medium

Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.

May 4, 2026
CVE-2026-36365
7.8 high

An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp

May 4, 2026
CVE-2025-70071
5.9 medium

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()

May 4, 2026
CVE-2026-6501
none

Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5.

May 4, 2026
CVE-2026-6500
none

Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5.

May 4, 2026
CVE-2026-33523
6.5 medium

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Apache Http Server May 4, 2026
CVE-2026-33007
5.3 medium

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Apache Http Server May 4, 2026
CVE-2026-33006
4.8 medium

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Apache Http Server May 4, 2026
CVE-2026-29169
7.5 high

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlie

Apache Http Server May 4, 2026