Top 10 CVEs of 2026
2026
Six data-derived top-10 lists for CVEs published or KEV-added in 2026. No editorial scoring; everything below is computed directly from the ingested corpus.
Top 10 most severe CVEs of 2026
Ranked by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.
| # | CVE | Severity | CVSS | KEV | Summary |
|---|---|---|---|---|---|
| 1 | CVE-2026-10520 | Critical | 10.0 | KEV | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution |
| 2 | CVE-2026-20182 | Critical | 10.0 | KEV | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. |
| 3 | CVE-2026-34910 | Critical | 10.0 | KEV | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. |
| 4 | CVE-2026-20127 | Critical | 10.0 | KEV | A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an u… |
| 5 | CVE-2026-20131 | Critical | 10.0 | KEV | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vuln… |
| 6 | CVE-2026-22769 | Critical | 10.0 | KEV | Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. |
| 7 | CVE-2026-34908 | Critical | 10.0 | KEV | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. |
| 8 | CVE-2026-34909 | Critical | 10.0 | KEV | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. |
| 9 | CVE-2026-48558 | Critical | 10.0 | KEV | SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. |
| 10 | CVE-2026-21858 | Critical | 10.0 | — | n8n is an open source workflow automation platform. |
Top 10 actively exploited CVEs of 2026
CVEs added to the CISA Known Exploited Vulnerabilities catalog during the year, newest first. Empty for pre-2021 years.
| # | CVE | Severity | CVSS | KEV | Added | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2026-48558 | Critical | 10.0 | KEV | 2026-06-29 | SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. |
| 2 | CVE-2026-12569 | Critical | 9.8 | KEV | 2026-06-25 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. |
| 3 | CVE-2026-20230 | High | 8.6 | KEV | 2026-06-25 | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forger… |
| 4 | CVE-2026-34910 | Critical | 10.0 | KEV | 2026-06-23 | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. |
| 5 | CVE-2026-34909 | Critical | 10.0 | KEV | 2026-06-23 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. |
| 6 | CVE-2026-34908 | Critical | 10.0 | KEV | 2026-06-23 | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. |
| 7 | CVE-2025-67038 | Critical | 9.8 | KEV | 2026-06-23 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. |
| 8 | CVE-2026-20253 | Critical | 9.8 | KEV | 2026-06-18 | In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. |
| 9 | CVE-2026-48907 | Critical | 9.8 | KEV | 2026-06-16 | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. |
| 10 | CVE-2026-20262 | Medium | 6.5 | KEV | 2026-06-15 | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability ex… |
Top 10 highest-EPSS CVEs of 2026
FIRST.org Exploit Prediction Scoring System scores, descending. EPSS estimates the probability a CVE will be exploited in the next 30 days.
| # | CVE | Severity | CVSS | KEV | EPSS | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2026-10520 | Critical | 10.0 | KEV | 0.989 | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution |
| 2 | CVE-2026-24061 | Critical | 9.8 | KEV | 0.989 | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. |
| 3 | CVE-2026-33017 | Critical | 9.8 | KEV | 0.984 | Langflow is a tool for building and deploying AI-powered agents and workflows. |
| 4 | CVE-2026-41940 | Critical | 9.8 | KEV | 0.981 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. |
| 5 | CVE-2026-31431 | High | 7.8 | KEV | 0.968 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. |
| 6 | CVE-2026-34197 | High | 8.8 | KEV | 0.963 | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. |
| 7 | CVE-2026-23760 | Critical | 9.8 | KEV | 0.963 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. |
| 8 | CVE-2026-39987 | Critical | 9.8 | KEV | 0.956 | marimo is a reactive Python notebook. |
| 9 | CVE-2026-21643 | Critical | 9.8 | KEV | 0.941 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted… |
| 10 | CVE-2026-43284 | High | 8.8 | — | 0.932 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. |
Top 10 most PoC-covered CVEs of 2026
Ranked by the count of indexed public proof-of-concept repositories. Higher counts correlate with weaponisation effort.
| # | CVE | Severity | CVSS | KEV | PoCs | Summary |
|---|---|---|---|---|---|---|
| 1 | CVE-2026-31431 | High | 7.8 | KEV | 348 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. |
| 2 | CVE-2026-41940 | Critical | 9.8 | KEV | 80 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. |
| 3 | CVE-2026-42945 | High | 8.1 | — | 51 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. |
| 4 | CVE-2026-23744 | Critical | 9.8 | — | 36 | MCPJam inspector is the local-first development platform for MCP servers. |
| 5 | CVE-2026-43284 | High | 8.8 | — | 33 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. |
| 6 | CVE-2026-41089 | Critical | 9.8 | — | 26 | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. |
| 7 | CVE-2026-24061 | Critical | 9.8 | KEV | 23 | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. |
| 8 | CVE-2026-29000 | Critical | 9.1 | — | 21 | pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. |
| 9 | CVE-2026-0073 | High | 8.8 | — | 18 | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. |
| 10 | CVE-2026-48907 | Critical | 9.8 | KEV | 15 | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. |
Top 10 most-vulnerable vendors of 2026
Vendors ranked by distinct CVE count for the year. Counts include every CVE attached to any product the vendor ships in our CPE map.
| # | Vendor | CVE count |
|---|---|---|
| 1 | Linux | 3246 |
| 2 | Microsoft | 2023 |
| 3 | 1800 | |
| 4 | Apple | 1363 |
| 5 | N/a | 1343 |
| 6 | Openclaw | 544 |
| 7 | Oracle Corporation | 445 |
| 8 | Oracle | 440 |
| 9 | Adobe | 395 |
| 10 | Red Hat | 349 |
Top 10 most-common CWEs of 2026
CWE classification ids ranked by the count of CVEs published in the year that carry them. Each CVE typically lists 1–3 CWE ids; counts reflect the union of those lists across the year's corpus.
| # | CWE | Name | CVE count |
|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 2875 |
| 2 | CWE-89 | SQL Injection | 1578 |
| 3 | CWE-862 | Missing Authorization | 1532 |
| 4 | CWE-416 | Use After Free | 1163 |
| 5 | CWE-22 | Path Traversal | 1095 |
| 6 | CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | 1003 |
| 7 | CWE-284 | Improper Access Control | 945 |
| 8 | CWE-78 | OS Command Injection | 868 |
| 9 | CWE-94 | Code Injection | 835 |
| 10 | CWE-20 | Improper Input Validation | 809 |