Total CVEs
2735
last 14 days
Avg Priority
33.0
of max 220
KEV
3
actively exploited
POC
356
public exploits
Unpatched
709
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2026-4326
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Au
|
| 44 |
CVE-2026-34572
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 44 |
CVE-2026-34570
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 44 |
CVE-2025-65115
Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on
|
| 44 |
CVE-2026-3357
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated u
|
| 44 |
CVE-2026-35168
OpenSTAManager is an open source management software for technical assistance an
|
| 44 |
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injecti
|
| 44 |
CVE-2026-20433
In Modem, there is a possible out of bounds write due to a missing bounds check.
|
| 44 |
CVE-2025-59710
An issue was discovered in Biztalk360 before 11.5. Because of incorrect access c
|
| 44 |
CVE-2026-5465
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress i
|
| 44 |
CVE-2026-5144
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalat
|
| 44 |
CVE-2026-3666
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion i
|
| 44 |
CVE-2026-39891
## Summary
Direct insertion of unescaped user input into template-rendering tool
|
| 44 |
CVE-2026-35567
ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRol
|
| 44 |
CVE-2026-28228
OpenOlat is an open source web-based e-learning platform for teaching, learning,
|
| 44 |
CVE-2026-24164
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserializati
|
| 44 |
CVE-2026-39937
Improper removal of sensitive information before storage or transfer vulnerabili
|
| 44 |
CVE-2026-34184
Hydrosystem Control System does not enforce authorization for some directories.
|
| 44 |
CVE-2026-35044
## Summary
The Dockerfile generation function `generate_containerfile()` in `sr
|
| 44 |
CVE-2026-33510
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scri
|
| 44 |
CVE-2025-10681
Storage credentials are hardcoded in the mobile app and device firmware. These c
|
| 44 |
CVE-2026-35610
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and ea
|
| 44 |
CVE-2026-5287
Use after free in PDF in Google Chrome prior to 146.0.7680.178 allowed a remote
|
| 44 |
CVE-2026-5279
Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remot
|
| 44 |
CVE-2026-5286
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote
|
| 44 |
CVE-2026-5866
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote
|
| 44 |
CVE-2026-4374
Improper Restriction of XML External Entity Reference vulnerability in RTI Conne
|
| 44 |
CVE-2026-5275
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 146.0.7680.178 al
|
| 44 |
CVE-2026-5909
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-5910
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-5274
Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a re
|
| 44 |
CVE-2026-5908
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-5285
Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remot
|
| 44 |
CVE-2026-5280
Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a r
|
| 44 |
CVE-2026-5278
Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 a
|
| 44 |
CVE-2026-35182
Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing
|
| 44 |
CVE-2026-5912
Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a rem
|
| 44 |
CVE-2026-5292
Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed
|
| 44 |
CVE-2026-28805
## Description
Multiple AJAX select handlers in OpenSTAManager <= 2.10.1 are vu
|
| 44 |
CVE-2026-39317
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL inje
|
| 44 |
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39334
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39326
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39323
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical
|
| 44 |
CVE-2026-35395
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web g
|
| 44 |
CVE-2026-35470
## Description
Six `confronta_righe.php` files across different modules in Open
|
| 44 |
CVE-2026-39319
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second o
|
| 44 |
CVE-2026-39318
ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupP
|
| 44 |
CVE-2026-39329
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39327
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-33373
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Sit
|
| 44 |
CVE-2025-43219
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 44 |
CVE-2026-27314
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using Mutual
|
| 44 |
CVE-2025-43264
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 44 |
CVE-2026-5130
The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthentic
|
| 44 |
CVE-2026-34955
### Summary
`SubprocessSandbox` in all modes (BASIC, STRICT, NETWORK_ISOLATED)
|
| 44 |
CVE-2026-33030
## Summary
Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnera
|
| 44 |
CVE-2026-3499
The Product Feed PRO for WooCommerce by AdTribes - Product Feeds for WooCommerce
|
| 44 |
CVE-2026-27018
### Impact
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-202
|
| 44 |
CVE-2026-30460
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote
|
| 44 |
CVE-2026-35093
A flaw was found in libinput. A local attacker who can place a specially crafted
|
| 44 |
CVE-2025-43202
This issue was addressed with improved memory handling. This issue is fixed in i
|
| 44 |
CVE-2026-21765
HCL BigFix Platform is affected by insecure permissions on private cryptographic
|
| 44 |
CVE-2026-5272
Heap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 allowed a r
|
| 44 |
CVE-2026-39621
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicep
|
| 44 |
CVE-2026-5914
Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacke
|
| 44 |
CVE-2025-47392
Memory corruption when decoding corrupted satellite data files with invalid sign
|
| 44 |
CVE-2026-39962
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36
|
| 44 |
CVE-2026-39981
### Summary
The safe_join() function in the essential_abilities extension fails
|
| 44 |
CVE-2026-30478
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windo
|
| 44 |
CVE-2026-23818
A vulnerability has been identified in the graphical user interface (GUI) of HPE
|
| 44 |
CVE-2026-35566
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical
|
| 44 |
CVE-2026-33618
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformCon
|
| 44 |
CVE-2026-5732
Incorrect boundary conditions, integer overflow in the Graphics: Text component.
|
| 44 |
CVE-2026-3524
Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing af
|
| 44 |
CVE-2026-5733
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerabil
|
| 44 |
CVE-2026-40217
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via
|
| 44 |
CVE-2026-35029
### Impact
The `/config/update endpoint` does not enforce admin role authorizat
|
| 44 |
CVE-2026-34791
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34796
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34797
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34795
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34794
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34793
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-34792
Endian Firewall version 3.3.25 and prior allow authenticated users to execute ar
|
| 44 |
CVE-2026-4399
Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a
|
| 44 |
CVE-2026-5707
Unsanitized input in an OS command in the virtual desktop session name handling
|
| 44 |
CVE-2026-34079
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1
|
| 44 |
CVE-2026-34728
### Summary
The `MediaBrowserController::index()` method handles file deletion f
|
| 44 |
CVE-2026-34723
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3752d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |