Total CVEs
2756
last 14 days
Avg Priority
35.7
of max 220
KEV
4
actively exploited
POC
317
public exploits
Unpatched
552
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 26 |
CVE-2026-4160
The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Fo
|
| 26 |
CVE-2026-21003
Improper input validation in data related to network restrictions prior to SMR A
|
| 26 |
CVE-2026-39958
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible
|
| 26 |
CVE-2026-4135
During an internal security assessment, a potential vulnerability was discovered
|
| 26 |
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an or
|
| 26 |
CVE-2026-3438
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Reposito
|
| 26 |
CVE-2026-4420
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating f
|
| 26 |
CVE-2026-33892
A vulnerability has been identified in Industrial Edge Management Pro V1 (All ve
|
| 26 |
CVE-2026-39425
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-24906
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-24907
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-22675
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scr
|
| 26 |
CVE-2026-33865
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsi
|
| 26 |
CVE-2026-34161
Chamilo LMS is an open-source learning management system. In versions prior to 2
|
| 26 |
CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with
|
| 26 |
CVE-2026-39426
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-39840
Improper neutralization of input during web page generation ('cross-site scripti
|
| 26 |
CVE-2026-40096
immich is a high performance self-hosted photo and video management solution. Ve
|
| 26 |
CVE-2026-5987
A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d
|
| 26 |
CVE-2026-1564
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vu
|
| 26 |
CVE-2026-35472
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35474
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirec
|
| 26 |
CVE-2026-35475
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect
|
| 26 |
CVE-2026-35473
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35396
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-33709
JupyterHub is software that allows one to create a multi-user server for Jupyter
|
| 26 |
CVE-2026-35398
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-33456
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.
|
| 26 |
CVE-2026-35496
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allo
|
| 26 |
CVE-2026-33273
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2
|
| 26 |
CVE-2026-5160
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are
|
| 26 |
CVE-2026-39347
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 26 |
CVE-2026-21904
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 26 |
CVE-2026-6107
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some u
|
| 26 |
CVE-2026-40118
UDP Console provided by Arcserve contains an incorrectly specified destination i
|
| 26 |
CVE-2026-6216
A security vulnerability has been detected in DbGate up to 7.1.4. This affects a
|
| 26 |
CVE-2026-27787
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If th
|
| 26 |
CVE-2026-40028
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerabil
|
| 26 |
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows at
|
| 26 |
CVE-2026-34018
An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allo
|
| 26 |
CVE-2026-35634
OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the
|
| 26 |
CVE-2026-21008
Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 all
|
| 26 |
CVE-2026-35613
coursevault-preview is a utility for previewing course material files from a con
|
| 26 |
CVE-2025-14858
The Semtech LR11xx LoRa transceivers running early versions of firmware contains
|
| 26 |
CVE-2026-21014
Improper access control in Samsung Camera prior to version 16.5.00.28 allows loc
|
| 26 |
CVE-2026-40447
Integer overflow or wraparound vulnerability in Samsung Open Source Escargot all
|
| 26 |
CVE-2026-34238
An integer overflow in the despeckle operation causes a heap buffer overflow on
|
| 26 |
CVE-2026-34757
LIBPNG is a reference library for use in applications that read, create, and man
|
| 26 |
CVE-2025-36579
Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerabil
|
| 26 |
CVE-2026-35659
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT m
|
| 26 |
CVE-2026-34866
Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitat
|
| 25 |
CVE-2026-40256
Weblate is a web based localization tool. In versions prior to 5.17, repository-
|
| 25 |
CVE-2026-4979
The UsersWP - Front-end login form, User Registration, User Profile & Members Di
|
| 25 |
CVE-2026-39418
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 25 |
CVE-2026-35516
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkR
|
| 25 |
CVE-2026-33440
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED
|
| 25 |
CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.
|
| 25 |
CVE-2026-5704
A flaw was found in tar. A remote attacker could exploit this vulnerability by c
|
| 25 |
CVE-2026-34244
Weblate is a web based localization tool. In versions prior to 5.17, a user with
|
| 25 |
CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explo
|
| 25 |
CVE-2026-34990
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 25 |
CVE-2026-40917
A flaw was found in GIMP. This vulnerability, a heap buffer over-read in the `ic
|
| 25 |
CVE-2026-41034
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in X
|
| 25 |
CVE-2026-40002
Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged ap
|
| 25 |
CVE-2026-40916
A flaw was found in GIMP. A stack buffer overflow vulnerability in the TIM image
|
| 25 |
CVE-2026-39880
Remnawave Backend is the backend for the Remnawave proxy and user management sol
|
| 25 |
CVE-2026-39881
Vim is an open source, command line text editor. Prior to 9.2.0316, a command in
|
| 25 |
CVE-2026-34972
OpenFGA is a high-performance and flexible authorization/permission engine built
|
| 25 |
CVE-2026-39411
# Summary
The `webapi` authentication layer trusts a client-controlled `X-lobe-
|
| 25 |
CVE-2026-39811
A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 throug
|
| 25 |
CVE-2026-20148
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, rem
|
| 25 |
CVE-2026-27673
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise)
|
| 25 |
CVE-2026-34164
### Summary
The `InboxHandlingService` logs the full content of every incoming
|
| 25 |
CVE-2026-4853
The JetBackup - Backup, Restore & Migrate plugin for WordPress is vulnerable to
|
| 25 |
CVE-2026-39631
Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolp
|
| 25 |
CVE-2026-34061
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 25 |
CVE-2026-39521
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content
|
| 25 |
CVE-2026-3330
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via
|
| 25 |
CVE-2026-22692
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-25125
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-40962
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via
|
| 24 |
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 24 |
CVE-2026-24147
NVIDIA Triton Inference Server contains a vulnerability in triton server where a
|
| 24 |
CVE-2026-1711
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site
|
| 24 |
CVE-2026-20132
Multiple vulnerabilities in the web-based management interface of Cisco Identity
|
| 24 |
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If
|
| 24 |
CVE-2026-27447
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 24 |
CVE-2026-5647
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affect
|
| 24 |
CVE-2026-39812
A improper neutralization of input during web page generation ('cross-site scrip
|
| 24 |
CVE-2026-35571
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache n
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |