Total CVEs
2374
last 14 days
Avg Priority
26.2
of max 220
KEV
7
actively exploited
POC
137
public exploits
Unpatched
389
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 34 |
CVE-2026-46380
A source code audit led to the discovery of three significant security vulnerabi
|
| 33 |
CVE-2026-34216
CtrlPanel is open-source billing software for hosting providers. In versions 1.1
|
| 33 |
CVE-2026-48919
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP ref
|
| 33 |
CVE-2026-41292
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degrada
|
| 33 |
CVE-2026-40622
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability
|
| 33 |
CVE-2026-48918
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by defau
|
| 33 |
CVE-2026-6366
Improperly Controlled Modification of Dynamically-Determined Object Attributes v
|
| 33 |
CVE-2026-48916
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
|
| 33 |
CVE-2026-48917
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP re
|
| 33 |
CVE-2026-6072
The Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress is vulne
|
| 33 |
CVE-2026-44054
In Netatalk 2.0.0 through 4.4.2, predictable afpd session token. Fixed in 4.4.3.
|
| 33 |
CVE-2026-42827
Improper neutralization of special elements used in a command ('command injectio
|
| 33 |
CVE-2026-42732
Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQua
|
| 33 |
CVE-2026-42744
Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQua
|
| 33 |
CVE-2026-4683
The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthori
|
| 33 |
CVE-2026-39053
Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-b
|
| 33 |
CVE-2026-47273
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 33 |
CVE-2026-32739
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 a
|
| 33 |
CVE-2026-20240
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splu
|
| 33 |
CVE-2026-39052
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. Th
|
| 33 |
CVE-2026-6052
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to runnin
|
| 33 |
CVE-2026-6936
IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to u
|
| 33 |
CVE-2026-32738
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 a
|
| 33 |
CVE-2026-42726
Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-w
|
| 33 |
CVE-2026-42725
Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checko
|
| 33 |
CVE-2026-41069
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 a
|
| 33 |
CVE-2026-31378
Improper Input Validation vulnerability in Apache OFBiz.
This issue affects Apa
|
| 33 |
CVE-2026-38930
OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in
|
| 33 |
CVE-2026-42750
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-48968
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-42751
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-27737
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19,
|
| 33 |
CVE-2026-9149
A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when
|
| 33 |
CVE-2026-40102
Plane is an open-source project management tool. In versions 1.3.0 and below, Sa
|
| 33 |
CVE-2026-48877
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateB
|
| 33 |
CVE-2026-37979
A flaw was found in Keycloak. This access control vulnerability in Keycloak's Op
|
| 33 |
CVE-2026-32814
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 a
|
| 33 |
CVE-2025-0898
The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary
|
| 33 |
CVE-2026-9156
Tanium addressed a denial of service vulnerability in Tanium Server.
|
| 33 |
CVE-2026-31380
Improper Neutralization of Special Elements used in an Expression Language State
|
| 33 |
CVE-2026-35086
Improper Control of Generation of Code ('Code Injection') vulnerability in email
|
| 33 |
CVE-2026-8951
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerabili
|
| 33 |
CVE-2026-9122
Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowe
|
| 33 |
CVE-2026-20238
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not h
|
| 33 |
CVE-2026-34233
CtrlPanel is open-source billing software for hosting providers. In versions 1.1
|
| 33 |
CVE-2026-3279
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthori
|
| 33 |
CVE-2026-8685
The Infility Global plugin for WordPress is vulnerable to SQL Injection via the
|
| 33 |
CVE-2025-67437
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable
|
| 33 |
CVE-2026-2734
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoi
|
| 33 |
CVE-2026-2340
A flaw was found in Samba’s vfs_worm module. The module is intended to provide w
|
| 33 |
CVE-2026-6938
IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploadi
|
| 33 |
CVE-2026-8487
Incorrect default permissions vulnerability in Progress Software MOVEit Automati
|
| 33 |
CVE-2026-29207
Improper Neutralization of Special Elements Used in a Template Engine vulnerabil
|
| 33 |
CVE-2026-29220
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 33 |
CVE-2026-8503
Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecur
|
| 33 |
CVE-2026-8961
Spoofing issue in the Form Autofill component. This vulnerability was fixed in F
|
| 33 |
CVE-2026-45187
Improper Authorization vulnerability in Apache OFBiz Webtools.
This issue affec
|
| 33 |
CVE-2026-47672
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrast
|
| 33 |
CVE-2026-8706
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allow
|
| 33 |
CVE-2026-44923
SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalat
|
| 33 |
CVE-2026-45254
In the case of the cap_net service, when a key present in the old limit was omit
|
| 33 |
CVE-2026-28733
in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code exe
|
| 33 |
CVE-2026-8971
Same-origin policy bypass in the Networking: JAR component. This vulnerability w
|
| 33 |
CVE-2026-9150
A flaw was found in libsolv. This stack-based buffer overflow vulnerability occu
|
| 33 |
CVE-2026-8669
Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on
|
| 33 |
CVE-2026-46719
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.
The
|
| 33 |
CVE-2026-8704
Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing fil
|
| 32 |
CVE-2026-6345
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail
|
| 32 |
CVE-2026-24573
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-5163
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when proc
|
| 32 |
CVE-2026-46556
###Summary
A Server-Side Request Forgery (SSRF) vulnerability in get_image_info(
|
| 32 |
CVE-2026-21836
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerabilit
|
| 32 |
CVE-2026-8405
IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Da
|
| 32 |
CVE-2026-1402
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1
|
| 32 |
CVE-2026-49044
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-27405
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploi
|
| 32 |
CVE-2026-5755
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x
|
| 32 |
CVE-2026-4635
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.
|
| 32 |
CVE-2026-47124
### Summary
Any authenticated non-admin member can connect to the server-status
|
| 32 |
CVE-2026-9796
A flaw was found in Keycloak. An authenticated administrator with the `manage-cl
|
| 32 |
CVE-2026-44596
### Summary
The authentication endpoint `POST /auth/token` in `yamcs-core` lack
|
| 32 |
CVE-2026-39966
TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API
|
| 32 |
CVE-2026-20685
An attacker in a privileged network position may be able to leak sensitive infor
|
| 32 |
CVE-2026-9035
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
|
| 32 |
CVE-2026-3173
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Objec
|
| 32 |
CVE-2026-45619
CVE-2026-43884 fix `603e7bf` patched `EpgParser.php` and `plugin/AI/receiveAsync
|
| 32 |
CVE-2026-46551
### Summary
The `uploadViaURL` path in the v1/v2 attachment API did not enforce
|
| 32 |
CVE-2026-8096
The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordP
|
| 32 |
CVE-2026-28444
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLo
|
| 32 |
CVE-2026-44645
## Summary
The `renderLimit` option - documented in `docs/source/tutorials/dos.
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |