Total CVEs
2458
last 14 days
Avg Priority
26.4
of max 220
KEV
7
actively exploited
POC
136
public exploits
Unpatched
367
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 49 |
CVE-2026-7301
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0
|
| 49 |
CVE-2026-8362
A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when
|
| 49 |
CVE-2026-42758
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias Webinar
|
| 49 |
CVE-2026-47323
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filteri
|
| 49 |
CVE-2026-31070
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticat
|
| 49 |
CVE-2026-32253
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2
|
| 49 |
CVE-2026-30118
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SS
|
| 49 |
CVE-2026-7385
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to co
|
| 49 |
CVE-2026-30117
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerab
|
| 49 |
CVE-2026-43493
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcr
|
| 49 |
CVE-2026-8376
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular
|
| 49 |
CVE-2026-48902
The password and username reset features created plain http links for https conn
|
| 49 |
CVE-2026-8495
Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing
|
| 49 |
CVE-2026-48691
FastNetMon Community Edition through 1.2.9 contains an integer overflow in the B
|
| 49 |
CVE-2026-8507
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) wr
|
| 49 |
CVE-2026-8721
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with e
|
| 49 |
CVE-2026-36829
An authentication bypass vulnerability exists in the embedded HTTP server of Pan
|
| 49 |
CVE-2026-8363
A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when p
|
| 49 |
CVE-2026-4883
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload du
|
| 49 |
CVE-2026-25879
# Security Vulnerability Report: Prompt to SQL Injection leading to RCE in lates
|
| 49 |
CVE-2026-6960
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file upload
|
| 49 |
CVE-2026-38702
A command injection vulnerability exists in the Admin Access feature of InHand N
|
| 49 |
CVE-2026-45697
### Impact
- Unauthenticated users could submit crafted values into Hidden field
|
| 49 |
CVE-2026-5118
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation
|
| 49 |
CVE-2026-8364
Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe)
|
| 49 |
CVE-2026-45695
## Summary
Kopia's HTTP server, when started with `--without-password `, accept
|
| 49 |
CVE-2026-8175
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
|
| 49 |
CVE-2026-46614
### Summary
The Fission router registers an internal-style route - `/fission-fu
|
| 49 |
CVE-2026-48689
FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buf
|
| 49 |
CVE-2026-46562
# Remote Code Execution via Mission Database algorithm override
## Summary
The
|
| 49 |
CVE-2026-45039
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta
|
| 49 |
CVE-2026-8760
The Login with OTP plugin for WordPress is vulnerable to authentication bypass i
|
| 49 |
CVE-2026-38703
A command injection vulnerability exists in the ZeroTier VPN feature of InHand N
|
| 49 |
CVE-2025-71210
A vulnerability in the Trend Micro Apex One management console could allow a rem
|
| 49 |
CVE-2026-38707
A command injection vulnerability exists in the IPSec VPN feature of InHand Netw
|
| 49 |
CVE-2026-9642
There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthentica
|
| 49 |
CVE-2026-42731
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verifi
|
| 49 |
CVE-2026-38704
A command injection vulnerability exists in the WireGuard VPN feature of InHand
|
| 49 |
CVE-2026-46670
### Summary
An unauthenticated SQL injection in the Bazar form-import path (`Fo
|
| 49 |
CVE-2025-12686
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerabi
|
| 49 |
CVE-2026-48687
FastNetMon Community Edition through 1.2.9 contains an OS command injection vuln
|
| 49 |
CVE-2026-7524
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to im
|
| 49 |
CVE-2026-48207
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializ
|
| 49 |
CVE-2026-45288
## Summary
Marten's full-text search APIs interpolated the user-supplied `regCo
|
| 49 |
CVE-2025-71211
A vulnerability in the Trend Micro Apex One management console could allow a rem
|
| 49 |
CVE-2026-9367
A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f1948
|
| 48 |
CVE-2026-2587
A critical Remote Code Execution (RCE) vulnerability was identified in the serve
|
| 48 |
CVE-2026-8511
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote a
|
| 48 |
CVE-2026-8580
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote
|
| 48 |
CVE-2026-8959
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 compone
|
| 48 |
CVE-2026-39821
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels t
|
| 48 |
CVE-2026-2611
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin
|
| 48 |
CVE-2026-45311
### Summary
The `run_tests` tool executes `cargo test` in the workspace with `Ap
|
| 48 |
CVE-2026-45323
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3
|
| 48 |
CVE-2026-46703
#### Summary
Boxlite is a sandbox service that allows users to create lightweig
|
| 48 |
CVE-2026-45758
### Impact
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker publis
|
| 48 |
CVE-2026-8670
Insufficient session expiration vulnerability in syslink software AG Avantra on
|
| 48 |
CVE-2026-8953
Sandbox escape due to use-after-free in the Disability Access APIs component. Th
|
| 48 |
CVE-2026-45374
### Summary
The `task_create` tool spawns durable sub-agents that inherit two i
|
| 48 |
CVE-2026-8467
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthent
|
| 48 |
CVE-2026-9351
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16
|
| 48 |
CVE-2026-8759
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an un
|
| 48 |
CVE-2026-9368
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. Thi
|
| 48 |
CVE-2026-8757
A vulnerability was found in adenhq hive up to 0.11.0. This affects the function
|
| 48 |
CVE-2026-46383
Microsoft APM is an open-source, community-driven dependency manager for AI agen
|
| 48 |
CVE-2026-8737
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affec
|
| 48 |
CVE-2026-9353
A security vulnerability has been detected in NousResearch hermes-agent up to 20
|
| 48 |
CVE-2026-9366
A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted e
|
| 48 |
CVE-2026-9354
A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The a
|
| 48 |
CVE-2026-9372
A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affec
|
| 48 |
CVE-2026-8738
A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impa
|
| 48 |
CVE-2026-8758
A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This
|
| 48 |
CVE-2026-9350
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. Thi
|
| 48 |
CVE-2026-8725
A weakness has been identified in CoreWorxLab CAAL up to 1.6.0. The affected ele
|
| 48 |
CVE-2026-8751
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the
|
| 48 |
CVE-2026-8750
A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue
|
| 48 |
CVE-2026-8785
A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Af
|
| 48 |
CVE-2026-9355
A flaw has been found in SourceCodester Hospitals Patient Records Management Sys
|
| 48 |
CVE-2026-9352
A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. Thi
|
| 48 |
CVE-2026-9349
A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this i
|
| 48 |
CVE-2026-9356
A vulnerability has been found in SourceCodester Hospitals Patient Records Manag
|
| 48 |
CVE-2026-8739
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected eleme
|
| 48 |
CVE-2026-8752
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability aff
|
| 48 |
CVE-2026-8734
A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this is
|
| 48 |
CVE-2026-9364
A flaw has been found in projectworlds Online Art Gallery Shop 1.0. Impacted is
|
| 48 |
CVE-2026-9580
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is
|
| 48 |
CVE-2026-9584
A security vulnerability has been detected in code-projects Project Management S
|
| 48 |
CVE-2026-9603
A security vulnerability has been detected in SourceCodester eDoc Doctor Appoint
|
| 48 |
CVE-2026-9606
A vulnerability has been found in itsourcecode Courier Management System 1.0. Im
|
| 48 |
CVE-2026-43633
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |