2026 CVEs
29570 CVEs published in 2026. 2991 critical, 11032 high. Browse by vendor, severity, or with PoCs.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-56415 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attac… |
CVE-2026-56413 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts… |
CVE-2026-10134 | Critical | 10.0 | 2026-06-30 | IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, messa… |
CVE-2026-48286 | Critical | 10.0 | 2026-06-30 | Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code… |
CVE-2026-48283 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary… |
CVE-2026-48282 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability… |
CVE-2026-48281 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the… |
CVE-2026-48277 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the… |
CVE-2026-48276 | Critical | 10.0 | 2026-06-30 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary… |
CVE-2026-53576 | Critical | 10.0 | 2026-06-26 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) t… |
CVE-2026-49869 | Critical | 10.0 | 2026-06-26 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("… |
CVE-2026-54350 | Critical | 10.0 | 2026-06-26 | Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing M… |
CVE-2026-57700 | Critical | 10.0 | 2026-06-25 | Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through… |
CVE-2026-54917 | Critical | 10.0 | 2026-06-25 | SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST cat… |
CVE-2026-52813 | Critical | 10.0 | 2026-06-24 | Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and reposit… |
CVE-2026-12848 | Critical | 10.0 | 2026-06-24 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by d… |
CVE-2026-12847 | Critical | 10.0 | 2026-06-24 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by d… |
CVE-2026-12846 | Critical | 10.0 | 2026-06-24 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by d… |
CVE-2026-12485 | Critical | 10.0 | 2026-06-24 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by d… |
CVE-2026-53622 | Critical | 10.0 | 2026-06-23 | Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection th… |