Skip to main content

Security Dashboard

7d 14d 30d 90d
Total CVEs
2374
last 14 days
Avg Priority
26.2
of max 220
KEV
7
actively exploited
POC
137
public exploits
Unpatched
389
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Patch Now — Known Exploited Vulnerabilities

126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
HIGH
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
CRITICAL
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
CRITICAL
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
CRITICAL
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
MEDIUM
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
MEDIUM
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
MEDIUM

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
16 CVE-2026-49009
Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4
16 CVE-2026-7836
In Netatalk 2.0.0 through 4.4.2, hextoint macro uppercase bug. Fixed in 4.5.0.
16 CVE-2026-44057
A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through
16 CVE-2026-4053
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the Po
16 CVE-2026-39967
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine'
16 CVE-2026-6334
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client
16 CVE-2026-4286
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{tea
16 CVE-2026-45739
## Summary Strawberry's bundled GraphiQL template wrote values from the GraphiQ
15 CVE-2026-44072
In Netatalk 2.2.1 through 4.4.2, system() after failed chdir(). Fixed in 4.5.0.
14 CVE-2026-41963
Stack overflow vulnerability in the media platform. Impact: Successful exploitat
14 CVE-2026-8492
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate
12 CVE-2025-68710
Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2
12 CVE-2025-68711
AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.
12 CVE-2025-68708
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local atta
12 CVE-2026-47090
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal
12 CVE-2026-47068
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital
12 CVE-2026-5222
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party regis
12 CVE-2026-7882
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to
12 CVE-2026-8432
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8412
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8434
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8414
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8433
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8409
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8410
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8416
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8413
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8340
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVers
12 CVE-2026-8411
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8427
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-8415
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-25608
STER uses unencrypted TCP traffic to transmit data over the network. It allows a
12 CVE-2026-7886
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage v
12 CVE-2026-8435
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) a
12 CVE-2026-45570
### Impact `go-git`'s SSH transport constructs the remote exec command by wrapp
12 CVE-2026-7887
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses
11 CVE-2026-9581
A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is
11 CVE-2026-8769
A vulnerability was determined in vercel ai up to 3.0.97. The impacted element i
11 CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability
11 CVE-2026-45232
Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vuln
10 CVE-2026-7890
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from
10 CVE-2026-45244
Summarize prior to 0.15.1 contains a missing authorization vulnerability that al
10 CVE-2026-34154
Discourse is an open-source discussion platform. In versions prior to 2026.1.4,
10 CVE-2026-8139
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page
10 CVE-2026-8773
A security vulnerability has been detected in linlinjava litemall up to 1.8.0. A
10 CVE-2026-9609
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the f
10 CVE-2026-8656
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site
10 CVE-2026-9357
A vulnerability was found in vBulletin 6.x. This impacts an unknown function of
10 CVE-2026-8772
A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is a
10 CVE-2025-52532
A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concu
10 CVE-2026-47713
AnythingLLM is an application that turns pieces of content into context that any
10 CVE-2026-45403
AnythingLLM is an application that turns pieces of content into context that any
10 CVE-2026-46549
### Summary The OAuth token strategy attached `oauth_scope` and `oauth_granted_
10 CVE-2026-9608
A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted eleme
9 CVE-2025-71310
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficient
9 CVE-2026-0428
Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to
9 CVE-2025-66660
Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to
9 CVE-2025-14575
An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of
8 CVE-2026-7860
A possible information disclosure vulnerability exists in the Vaadin Maven plugi
6 CVE-2026-9828
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-c
0 CVE-2026-33637
## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-rela
0 CVE-2026-45133
### Description `Symfony\Component\Yaml\Parser` is the entry point for parsing
0 CVE-2026-46553
### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` ag
0 CVE-2026-45305
### Description `Symfony\Component\Yaml\Parser::cleanup()` strips the optional
0 CVE-2026-46554
### Summary Deleted API tokens continued to authenticate requests until their ca
0 CVE-2026-46668
### Impact Users are impacted if: - They have a caveat structure with a nested
0 CVE-2026-46629
### Description `IntlExtension` memoises every `\IntlDateFormatter` and `\Numbe
0 CVE-2026-46342
### Summary The `/__nuxt_island/*` endpoint accepts attacker-controlled `props`
0 CVE-2026-46635
### Description The `column` filter passes its input straight to PHP's native `
0 CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in t
0 CVE-2026-8347
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level i
0 CVE-2026-45753
### Description `symfony/html-sanitizer` lets applications sanitise untrusted H
0 CVE-2026-45756
### Description The `JsonPath` component's `match()` and `search()` filter func
0 CVE-2026-46644
### Description `symfony/polyfill-intl-idn` provides a userland implementation
0 CVE-2026-46497
## Overview - **Vulnerability type:** Blind SSRF - **Affected components:** `sr
0 CVE-2026-45287
### Summary `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/ote
0 CVE-2026-46628
### Description The `spaceless` filter is registered with `is_safe => ['html']`
0 CVE-2026-45072
### Description Symfony's profiler, a development only debug UI, renders source
0 CVE-2026-46637
### Description Several filters in the `twig/*` extras packages are registered
0 CVE-2026-45071
### Description `symfony/dom-crawler` provides the `Crawler` class for navigati
0 CVE-2026-45304
### Description `Symfony\Component\Yaml\Parser` resolves YAML aliases (`*anchor

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 776d
CVE-2019-19781 CRITICAL 9.8 223 2344d
CVE-2020-5902 CRITICAL 9.8 223 2157d
CVE-2021-35464 CRITICAL 9.8 223 1771d
CVE-2020-10189 CRITICAL 9.8 223 2274d
CVE-2012-4681 CRITICAL 9.8 223 5021d
CVE-2022-42475 CRITICAL 9.8 223 1242d
CVE-2023-3519 CRITICAL 9.8 223 1044d
CVE-2015-7450 CRITICAL 9.8 222 3798d
CVE-2023-34048 CRITICAL 9.8 222 946d
Prev 2 / 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy