Security Dashboard

7d 14d 30d 90d
Total CVEs
2734
last 14 days
Avg Priority
33.0
of max 220
KEV
3
actively exploited
POC
356
public exploits
Unpatched
709
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Patch Now — Known Exploited Vulnerabilities

124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
CRITICAL
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
HIGH
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
HIGH

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
124 CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through
69 CVE-2026-2699
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthentica
69 CVE-2026-34935
### Summary The `--mcp` CLI argument is passed directly to `shlex.split()` and
67 CVE-2026-23696
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vul
67 CVE-2026-33579
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /
67 CVE-2026-29014
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injec
67 CVE-2026-30562
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sa
66 CVE-2026-35022
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
66 CVE-2026-22679
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthentica
66 CVE-2026-2701
Authenticated user can upload a malicious file to the server and execute it, whi
66 CVE-2026-39912
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication token
57 CVE-2026-1579
The MAVLink communication protocol does not require cryptographic authenticatio
57 CVE-2025-13926
An attacker could use data obtained by sniffing the network traffic to forge pa
57 CVE-2026-3356
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass t
56 CVE-2025-14815
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric
56 CVE-2025-14816
Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi El
55 CVE-2026-34156
`##` Summary NocoBase's Workflow Script Node executes user-supplied JavaScript
51 CVE-2026-4149
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerabil
50 CVE-2026-39337
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical p
50 CVE-2026-32871
## Technical Description The `OpenAPIProvider` in FastMCP exposes internal APIs
50 CVE-2025-15379
A command injection vulnerability exists in MLflow's model serving container ini
50 CVE-2026-5128
A sensitive information exposure vulnerability exists in ArthurFiorette steam-tr
50 CVE-2026-34938
### Summary `execute_code()` in `praisonai-agents` runs attacker-controlled Pyt
50 CVE-2026-34162
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT
50 CVE-2026-32186
Microsoft Bing Elevation of Privilege Vulnerability
50 CVE-2026-34208
### Summary SandboxJS blocks direct assignment to global objects (for example `M
50 CVE-2025-54328
An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor,
50 CVE-2026-32213
Improper authorization in Azure AI Foundry allows an unauthorized attacker to el
50 CVE-2026-33107
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized at
50 CVE-2026-33105
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthori
50 CVE-2026-4370
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from
50 CVE-2026-34976
The `restoreTenant` admin mutation is missing from the authorization middleware
50 CVE-2026-5058
aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulne
50 CVE-2026-5059
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. Th
50 CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
50 CVE-2026-34838
Group-Office is an enterprise customer relationship management and groupware too
50 CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version
50 CVE-2026-34571
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
50 CVE-2026-34569
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
50 CVE-2026-25212
An issue was discovered in Percona PMM before 3.7. Because an internal database
50 CVE-2026-34717
OpenProject is an open-source, web-based project management software. Prior to v
50 CVE-2026-39355
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken ac
50 CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in th
50 CVE-2026-39888
## Summary `execute_code()` in `praisonaiagents.tools.python_tools` defaults to
50 CVE-2026-40089
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The S
49 CVE-2026-4003
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalatio
49 CVE-2026-39890
## Summary The `AgentService.loadAgentFromFile` method uses the `js-yaml` librar
49 CVE-2026-3535
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary
49 CVE-2026-3300
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Executio
49 CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side
49 CVE-2026-1830
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution
49 CVE-2026-20160
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allo
49 CVE-2026-30312
DSAI-Cline's command auto-approval module contains a critical OS command injecti
49 CVE-2026-30313
DSAI-Cline's command auto-approval module contains a critical OS command injecti
49 CVE-2026-31027
TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAp
49 CVE-2026-30311
Ridvay Code's command auto-approval module contains a critical OS command inject
49 CVE-2026-30305
Syntx's command auto-approval module contains a critical OS command injection vu
49 CVE-2026-30314
Ridvay Code's command auto-approval module contains a critical OS command inject
49 CVE-2026-30307
Roo Code's command auto-approval module contains a critical OS command injection
49 CVE-2026-34159
llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492
49 CVE-2026-4631
Cockpit's remote login feature passes user-supplied hostnames and usernames from
49 CVE-2026-6057
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability
49 CVE-2026-0740
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary f
49 CVE-2026-30643
An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code vi
49 CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9
49 CVE-2026-34877
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4
49 CVE-2026-35392
### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69`
49 CVE-2026-35393
### Summary * POST multipart upload directory not sanitized | `httpserver/updown
49 CVE-2026-35471
### Summary * `deleteFile()` missing return after path traversal check | `httpse
49 CVE-2026-5121
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerabi
49 CVE-2026-33032
### Summary The nginx-ui MCP (Model Context Protocol) integration exposes two HT
49 CVE-2026-34934
## Summary The `get_all_user_threads` function constructs raw SQL queries using
49 CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulner
49 CVE-2026-20911
A heap-based buffer overflow vulnerability exists in the HuffTable::initval func
49 CVE-2026-34875
An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buf
49 CVE-2026-20889
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functi
49 CVE-2026-21413
A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw
49 CVE-2026-31059
A remote command execution (RCE) vulnerability in the /goform/formDia component
49 CVE-2026-31271
megagao production_ssm v1.0 contains an authorization bypass vulnerability in th
49 CVE-2026-31946
OpenOlat is an open source web-based e-learning platform for teaching, learning,
49 CVE-2026-20093
A vulnerability in the change password functionality of Cisco Integrated Managem
49 CVE-2026-32714
SciTokens is a reference library for generating and using SciTokens. Prior to ve
49 CVE-2026-33816
Memory-safety vulnerability in github.com/jackc/pgx/v5.
49 CVE-2026-30079
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state
49 CVE-2026-31272
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/m
49 CVE-2026-31040
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient
49 CVE-2026-3296
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in
49 CVE-2026-2287
CrewAI does not properly check that Docker is still running during runtime, and
49 CVE-2026-30283
An arbitrary file overwrite vulnerability in PEAKSEL D.O.O. NIS Animal Sounds an
49 CVE-2026-33815
Memory-safety vulnerability in github.com/jackc/pgx/v5.

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 730d
CVE-2019-19781 CRITICAL 9.8 223 2298d
CVE-2020-5902 CRITICAL 9.8 223 2111d
CVE-2021-35464 CRITICAL 9.8 223 1725d
CVE-2020-10189 CRITICAL 9.8 223 2228d
CVE-2012-4681 CRITICAL 9.8 223 4975d
CVE-2022-42475 CRITICAL 9.8 223 1196d
CVE-2023-3519 CRITICAL 9.8 223 998d
CVE-2015-7450 CRITICAL 9.8 222 3753d
CVE-2023-34048 CRITICAL 9.8 222 900d
1 / 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy