Total CVEs
2441
last 14 days
Avg Priority
26.4
of max 220
KEV
7
actively exploited
POC
134
public exploits
Unpatched
359
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 126 |
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defe
|
| 120 |
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possi
|
| 117 |
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON T
|
| 116 |
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious ver
|
| 108 |
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 92 |
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
|
| 89 |
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could al
|
| 69 |
CVE-2026-31072
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.1
|
| 67 |
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows
|
| 67 |
CVE-2026-41947
Dify version 1.14.1 and prior contains an authorization bypass vulnerability tha
|
| 66 |
CVE-2026-24444
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 con
|
| 66 |
CVE-2026-31071
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack au
|
| 64 |
CVE-2026-3220
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin
|
| 64 |
CVE-2026-43634
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that
|
| 63 |
CVE-2026-6379
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly san
|
| 63 |
CVE-2026-7862
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not proper
|
| 63 |
CVE-2026-47114
IINA before 1.4.3 contains a user-assisted command execution vulnerability that
|
| 62 |
CVE-2026-45369
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitut
|
| 61 |
CVE-2026-41949
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in t
|
| 61 |
CVE-2026-41470
LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP
|
| 59 |
CVE-2026-45370
python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_envir
|
| 58 |
CVE-2026-6381
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a paramete
|
| 58 |
CVE-2025-15609
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API
|
| 57 |
CVE-2026-9345
A vulnerability was detected in Edimax EW-7438RPn up to 1.31. This affects the f
|
| 57 |
CVE-2026-9346
A flaw has been found in Edimax EW-7438RPn up to 1.31. This impacts the function
|
| 57 |
CVE-2026-8776
A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affe
|
| 57 |
CVE-2026-9348
A vulnerability was found in Edimax EW-7438RPn up to 1.31. Affected by this vuln
|
| 57 |
CVE-2026-9360
A security flaw has been discovered in Edimax EW-7438RPn 1.28a. Affected by this
|
| 57 |
CVE-2026-8775
A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2
|
| 57 |
CVE-2026-9344
A security vulnerability has been detected in Edimax EW-7438RPn up to 1.31. The
|
| 57 |
CVE-2026-9295
A security flaw has been discovered in Edimax BR-6428NS 1.10. This affects the f
|
| 57 |
CVE-2026-9294
A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is
|
| 57 |
CVE-2026-8764
A security vulnerability has been detected in H3C Magic B3 up to 100R002. This a
|
| 56 |
CVE-2025-70103
Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to th
|
| 56 |
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in th
|
| 56 |
CVE-2026-6495
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a
|
| 56 |
CVE-2026-46333
In the Linux kernel, the following vulnerability has been resolved:
ptrace: sli
|
| 54 |
CVE-2026-8603
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an a
|
| 54 |
CVE-2026-8602
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnera
|
| 54 |
CVE-2026-33741
EspoCRM is an open source customer relationship management application. Versions
|
| 53 |
CVE-2026-8604
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigge
|
| 52 |
CVE-2026-41141
EspoCRM is an open source customer relationship management application. Prior to
|
| 51 |
CVE-2026-5776
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses
|
| 50 |
CVE-2026-41553
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to
|
| 50 |
CVE-2026-8054
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 50 |
CVE-2026-2031
An Improper Access Control vulnerability in several internal API endpoints for G
|
| 50 |
CVE-2026-40412
Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows a
|
| 50 |
CVE-2026-41104
Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an
|
| 50 |
CVE-2026-34234
CtrlPanel is open-source billing software for hosting providers. In versions 1.1
|
| 50 |
CVE-2026-45829
A pre-authentication, code injection vulnerability in version 1.0.0 or later of
|
| 50 |
CVE-2026-42822
Improper authentication in Azure Local Disconnected Operations allows an unautho
|
| 50 |
CVE-2026-23652
Improper neutralization of special elements used in a command ('command injectio
|
| 50 |
CVE-2026-9152
A missing authentication vulnerability exists in the Altium 365 SearchService. A
|
| 50 |
CVE-2026-47280
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized a
|
| 50 |
CVE-2026-45444
Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift
|
| 50 |
CVE-2026-42901
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to
|
| 50 |
CVE-2026-46595
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server
|
| 50 |
CVE-2026-34909
A malicious actor with access to the network could exploit a Path Traversal vuln
|
| 50 |
CVE-2026-34908
A malicious actor with access to the network could exploit an Improper Access Co
|
| 50 |
CVE-2026-33712
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview cha
|
| 50 |
CVE-2026-20223
A vulnerability in the access validation of internal REST APIs of Cisco Sec
|
| 50 |
CVE-2026-46412
## Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compr
|
| 50 |
CVE-2026-46695
#### Summary
Boxlite is a sandbox service that allows users to create lightweig
|
| 50 |
CVE-2026-34910
A malicious actor with access to the network could exploit an Improper Input Val
|
| 50 |
CVE-2026-46339
## Summary
9router exposes two unauthenticated API endpoints that, when chained
|
| 50 |
CVE-2026-27130
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 a
|
| 50 |
CVE-2026-44050
In Netatalk 2.0.0 through 4.4.2, heap buffer overflow in cnid daemon comm_rcv().
|
| 50 |
CVE-2026-40411
Improper input validation in Azure Virtual Network Gateway allows an authorized
|
| 50 |
CVE-2026-42757
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 50 |
CVE-2026-42748
Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo
|
| 50 |
CVE-2026-42756
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 50 |
CVE-2026-46425
Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/s
|
| 50 |
CVE-2026-45102
OneUptime is an open-source monitoring and observability platform. Prior to 10.0
|
| 50 |
CVE-2026-44450
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server
|
| 50 |
CVE-2026-45625
## Summary
Arcane's huma-based REST API exposes nine endpoints under `/api/cust
|
| 50 |
CVE-2026-46716
## Summary
`nezha`'s dashboard supports two user roles: `RoleAdmin` (Role==0) a
|
| 50 |
CVE-2026-33642
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the
|
| 49 |
CVE-2026-5229
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in v
|
| 49 |
CVE-2026-7304
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote co
|
| 49 |
CVE-2026-6555
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File U
|
| 49 |
CVE-2026-44717
MCP Calculate Server is a mathematical calculation service based on MCP protocol
|
| 49 |
CVE-2026-44887
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to
|
| 49 |
CVE-2026-7637
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions
|
| 49 |
CVE-2026-6279
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthe
|
| 49 |
CVE-2026-24207
NVIDIA Triton Inference Server contains a vulnerability where an attacker could
|
| 49 |
CVE-2026-7284
The Easy Elements for Elementor - Addons & Website Templates plugin for WordPres
|
| 49 |
CVE-2026-45434
Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic
|
| 49 |
CVE-2026-4885
The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbit
|
| 49 |
CVE-2026-44888
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to
|
| 49 |
CVE-2026-8956
Integer overflow in the Networking: JAR component. This vulnerability was fixed
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |
1 / 28
Next