Total CVEs
2772
last 14 days
Avg Priority
33.0
of max 220
KEV
3
actively exploited
POC
375
public exploits
Unpatched
716
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-31353
An authenticated stored cross-site scripting (XSS) vulnerability in the Category
|
| 27 |
CVE-2026-39607
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exp
|
| 27 |
CVE-2026-4364
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-31354
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the
|
| 27 |
CVE-2026-34777
### Impact
When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`,
|
| 27 |
CVE-2026-3191
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery
|
| 27 |
CVE-2026-39710
Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensio
|
| 27 |
CVE-2026-39603
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography
|
| 27 |
CVE-2026-39635
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine gra
|
| 27 |
CVE-2026-32893
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cr
|
| 27 |
CVE-2026-33406
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 27 |
CVE-2026-35207
dde-control-center is the control panel of DDE, the Deepin Desktop Environment.
|
| 27 |
CVE-2026-21011
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr
|
| 27 |
CVE-2026-40112
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoin
|
| 27 |
CVE-2026-4332
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 27 |
CVE-2026-33119
User interface (ui) misrepresentation of critical information in Microsoft Edge
|
| 27 |
CVE-2026-31153
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows atta
|
| 27 |
CVE-2026-35602
## Summary
The Vikunja file import endpoint uses the attacker-controlled `Size`
|
| 27 |
CVE-2026-34753
### Summary
A Server Side Request Forgery (SSRF) vulnerability in `download_byt
|
| 27 |
CVE-2026-0811
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site
|
| 27 |
CVE-2026-35600
## Summary
Task titles are embedded directly into Markdown link syntax in overd
|
| 27 |
CVE-2026-5528
A security vulnerability has been detected in MoussaabBadla code-screenshot-mcp
|
| 27 |
CVE-2026-3646
The LTL Freight Quotes - R+L Carriers Edition plugin for WordPress is vulnerable
|
| 27 |
CVE-2026-4664
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authe
|
| 27 |
CVE-2026-3594
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Inf
|
| 27 |
CVE-2026-29135
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft
|
| 27 |
CVE-2026-29137
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide s
|
| 27 |
CVE-2026-29133
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload
|
| 27 |
CVE-2026-35038
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 27 |
CVE-2026-29134
SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to m
|
| 27 |
CVE-2026-39941
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vul
|
| 27 |
CVE-2026-34523
### Summary
A path traversal vulnerability in the static file route handler all
|
| 27 |
CVE-2025-14938
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary
|
| 27 |
CVE-2026-3691
OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnera
|
| 27 |
CVE-2026-5167
The Masteriyo LMS - Online Course Builder for eLearning, LMS & Education plugin
|
| 27 |
CVE-2026-33995
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 27 |
CVE-2026-35483
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35484
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-34736
Open edX Platform enables the authoring and delivery of online learning at any s
|
| 27 |
CVE-2026-34425
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass
|
| 27 |
CVE-2026-32921
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run
|
| 27 |
CVE-2026-30878
baserCMS is a website development framework. Prior to version 5.2.3, a public ma
|
| 27 |
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-35608
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored X
|
| 27 |
CVE-2026-35390
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior
|
| 27 |
CVE-2026-32243
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-34574
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 27 |
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-33455
Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an
|
| 27 |
CVE-2026-33300
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33457
Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26
|
| 27 |
CVE-2026-32143
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-32620
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-5762
Allocation of resources without limits or throttling vulnerability in Wikimedia
|
| 27 |
CVE-2026-34826
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-35468
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 27 |
CVE-2026-34979
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-35583
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the config
|
| 27 |
CVE-2026-35578
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90,
|
| 27 |
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-32615
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33185
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-35023
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct obj
|
| 27 |
CVE-2026-39346
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 27 |
CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in
|
| 27 |
CVE-2026-2263
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 27 |
CVE-2026-32990
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fi
|
| 27 |
CVE-2026-26895
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-25043
Budibase is an open-source low-code platform. Prior to version 3.23.25, a busine
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2025-14944
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization
|
| 27 |
CVE-2026-4654
The Awesome Support - WordPress HelpDesk & Support Plugin plugin for WordPress i
|
| 27 |
CVE-2026-35542
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-35544
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35543
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-4325
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 27 |
CVE-2026-5538
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by th
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |