Top 10 CVEs of 2026

2026

Six data-derived top-10 lists for CVEs published or KEV-added in 2026. No editorial scoring; everything below is computed directly from the ingested corpus.

Top 10 most severe CVEs of 2026

Ranked by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.

#CVESeverityCVSSKEVSummary
1CVE-2026-10520Critical10.0KEVAn OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
2CVE-2026-20182Critical10.0KEVMay 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026.
3CVE-2026-34910Critical10.0KEVA malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
4CVE-2026-20127Critical10.0KEVA vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an u…
5CVE-2026-20131Critical10.0KEVA vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vuln…
6CVE-2026-22769Critical10.0KEVDell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability.
7CVE-2026-34908Critical10.0KEVA malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
8CVE-2026-34909Critical10.0KEVA malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
9CVE-2026-48558Critical10.0KEVSimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow.
10CVE-2026-21858Critical10.0n8n is an open source workflow automation platform.

Top 10 actively exploited CVEs of 2026

CVEs added to the CISA Known Exploited Vulnerabilities catalog during the year, newest first. Empty for pre-2021 years.

#CVESeverityCVSSKEVAddedSummary
1CVE-2026-48558Critical10.0KEV2026-06-29SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow.
2CVE-2026-12569Critical9.8KEV2026-06-25A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM.
3CVE-2026-20230High8.6KEV2026-06-25A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forger…
4CVE-2026-34910Critical10.0KEV2026-06-23A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
5CVE-2026-34909Critical10.0KEV2026-06-23A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
6CVE-2026-34908Critical10.0KEV2026-06-23A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
7CVE-2025-67038Critical9.8KEV2026-06-23An issue was discovered in Lantronix EDS5000 2.1.0.0R3.
8CVE-2026-20253Critical9.8KEV2026-06-18In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
9CVE-2026-48907Critical9.8KEV2026-06-16A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
10CVE-2026-20262Medium6.5KEV2026-06-15A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability ex…

Top 10 highest-EPSS CVEs of 2026

FIRST.org Exploit Prediction Scoring System scores, descending. EPSS estimates the probability a CVE will be exploited in the next 30 days.

#CVESeverityCVSSKEVEPSSSummary
1CVE-2026-10520Critical10.0KEV0.989An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
2CVE-2026-24061Critical9.8KEV0.989telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
3CVE-2026-33017Critical9.8KEV0.984Langflow is a tool for building and deploying AI-powered agents and workflows.
4CVE-2026-41940Critical9.8KEV0.981cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
5CVE-2026-31431High7.8KEV0.968In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data.
6CVE-2026-34197High8.8KEV0.963Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
7CVE-2026-23760Critical9.8KEV0.963SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API.
8CVE-2026-39987Critical9.8KEV0.956marimo is a reactive Python notebook.
9CVE-2026-21643Critical9.8KEV0.941An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted…
10CVE-2026-43284High8.80.932In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb.

Top 10 most PoC-covered CVEs of 2026

Ranked by the count of indexed public proof-of-concept repositories. Higher counts correlate with weaponisation effort.

#CVESeverityCVSSKEVPoCsSummary
1CVE-2026-31431High7.8KEV348In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data.
2CVE-2026-41940Critical9.8KEV80cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
3CVE-2026-42945High8.151NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
4CVE-2026-23744Critical9.836MCPJam inspector is the local-first development platform for MCP servers.
5CVE-2026-43284High8.833In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb.
6CVE-2026-41089Critical9.826Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
7CVE-2026-24061Critical9.8KEV23telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
8CVE-2026-29000Critical9.121pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens.
9CVE-2026-0073High8.818In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code.
10CVE-2026-48907Critical9.8KEV15A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

Top 10 most-vulnerable vendors of 2026

Vendors ranked by distinct CVE count for the year. Counts include every CVE attached to any product the vendor ships in our CPE map.

#VendorCVE count
1Linux3246
2Microsoft2023
3Google1800
4Apple1363
5N/a1343
6Openclaw544
7Oracle Corporation445
8Oracle440
9Adobe395
10Red Hat349

Top 10 most-common CWEs of 2026

CWE classification ids ranked by the count of CVEs published in the year that carry them. Each CVE typically lists 1–3 CWE ids; counts reflect the union of those lists across the year's corpus.

#CWENameCVE count
1CWE-79Cross-site Scripting2875
2CWE-89SQL Injection1578
3CWE-862Missing Authorization1532
4CWE-416Use After Free1163
5CWE-22Path Traversal1095
6CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)1003
7CWE-284Improper Access Control945
8CWE-78OS Command Injection868
9CWE-94Code Injection835
10CWE-20Improper Input Validation809