Total CVEs
2735
last 14 days
Avg Priority
35.7
of max 220
KEV
4
actively exploited
POC
317
public exploits
Unpatched
549
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 24 |
CVE-2026-40301
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10
|
| 23 |
CVE-2026-26175
Use of uninitialized resource in Windows Boot Manager allows an unauthorized att
|
| 23 |
CVE-2026-20928
Improper removal of sensitive information before storage or transfer in Windows
|
| 23 |
CVE-2026-39417
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 23 |
CVE-2026-39345
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 23 |
CVE-2026-30613
An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16a
|
| 23 |
CVE-2026-22154
An improper neutralization of input during web page generation ('cross-site scri
|
| 23 |
CVE-2026-33193
Docmost is open-source collaborative wiki and documentation software. Versions p
|
| 23 |
CVE-2025-69893
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic pro
|
| 23 |
CVE-2026-31060
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31058
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31061
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31062
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
|
| 23 |
CVE-2026-31063
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31065
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
|
| 23 |
CVE-2026-31066
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 22 |
CVE-2026-39864
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.
|
| 22 |
CVE-2026-27906
Improper input validation in Windows Hello allows an authorized attacker to bypa
|
| 22 |
CVE-2026-32220
Improper access control in Windows Virtualization-Based Security (VBS) Enclave a
|
| 22 |
CVE-2026-3574
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stor
|
| 22 |
CVE-2026-5169
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored
|
| 22 |
CVE-2026-5383
An issue that could allow access to Explorer groups from outside of the authoriz
|
| 22 |
CVE-2026-6439
The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting i
|
| 22 |
CVE-2026-2838
The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Sto
|
| 22 |
CVE-2026-2396
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross
|
| 22 |
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPre
|
| 22 |
CVE-2026-21007
Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 R
|
| 22 |
CVE-2026-3995
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 22 |
CVE-2026-3551
The Custom New User Notification plugin for WordPress is vulnerable to Stored Cr
|
| 22 |
CVE-2025-43935
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource
|
| 22 |
CVE-2026-24511
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 t
|
| 22 |
CVE-2026-33118
Microsoft Edge (Chromium-based) Spoofing Vulnerability
|
| 22 |
CVE-2026-33829
Exposure of sensitive information to an unauthorized actor in Windows Snipping T
|
| 22 |
CVE-2026-32202
Protection mechanism failure in Windows Shell allows an unauthorized attacker to
|
| 22 |
CVE-2026-33146
Docmost is open-source collaborative wiki and documentation software. An authori
|
| 22 |
CVE-2026-22576
A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR
|
| 22 |
CVE-2026-4330
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vuln
|
| 22 |
CVE-2026-33227
Improper validation and restriction of a classpath path name vulnerability in Ap
|
| 22 |
CVE-2026-5882
Incorrect security UI in Fullscreen in Google Chrome prior to 147.0.7727.55 allo
|
| 22 |
CVE-2026-5918
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.
|
| 22 |
CVE-2026-5906
Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727
|
| 22 |
CVE-2026-5898
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55
|
| 22 |
CVE-2026-5897
Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allow
|
| 22 |
CVE-2026-5878
Incorrect security UI in Blink in Google Chrome prior to 147.0.7727.55 allowed a
|
| 22 |
CVE-2026-35462
Papra is a minimalistic document management and archiving platform. Prior to 26.
|
| 22 |
CVE-2026-5880
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.77
|
| 22 |
CVE-2026-5891
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.77
|
| 22 |
CVE-2026-3568
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Ref
|
| 22 |
CVE-2026-4057
The Download Manager plugin for WordPress is vulnerable to unauthorized modifica
|
| 22 |
CVE-2026-6441
The Canto plugin for WordPress is vulnerable to Missing Authorization in version
|
| 22 |
CVE-2026-4977
The UsersWP - Front-end login form, User Registration, User Profile & Members Di
|
| 22 |
CVE-2026-35460
Papra is a minimalistic document management and archiving platform. Prior to 26.
|
| 22 |
CVE-2026-39985
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
|
| 22 |
CVE-2026-5864
Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed
|
| 22 |
CVE-2026-5867
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a
|
| 22 |
CVE-2026-5869
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a
|
| 22 |
CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior
|
| 22 |
CVE-2026-3371
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 22 |
CVE-2026-23777
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 22 |
CVE-2026-2826
The Kadence Blocks - Page Builder Toolkit for Gutenberg Editor plugin for WordPr
|
| 22 |
CVE-2026-40103
### Summary
Vikunja's scoped API token enforcement for custom project backgroun
|
| 22 |
CVE-2026-35598
## Summary
The CalDAV `GetResource` and `GetResourcesByList` methods fetch task
|
| 22 |
CVE-2025-59809
A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fo
|
| 22 |
CVE-2026-35596
## Summary
The `hasAccessToLabel` function contains a SQL operator precedence b
|
| 22 |
CVE-2026-27676
Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Tec
|
| 22 |
CVE-2026-20203
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splu
|
| 22 |
CVE-2026-34225
Open WebUI is a self-hosted artificial intelligence platform designed to operate
|
| 22 |
CVE-2026-31150
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers
|
| 22 |
CVE-2026-1541
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Infor
|
| 22 |
CVE-2026-27672
The Material Master application does not enforce authorization checks for authen
|
| 22 |
CVE-2026-4109
The Eventin - Events Calendar, Event Booking, Ticket & Registration (AI Powered)
|
| 22 |
CVE-2026-20061
A vulnerability in the web-based management interface of Cisco Unity Connection
|
| 22 |
CVE-2026-20446
In sec boot, there is a possible out of bounds write due to an integer overflow.
|
| 22 |
CVE-2026-5887
Insufficient validation of untrusted input in Downloads in Google Chrome on Wind
|
| 22 |
CVE-2026-33929
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 22 |
CVE-2026-39469
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 22 |
CVE-2026-6293
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-S
|
| 22 |
CVE-2026-39592
Missing Authorization vulnerability in Andy Ha DEPART depart-deposit-and-part-pa
|
| 22 |
CVE-2025-70811
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local
|
| 22 |
CVE-2026-40728
Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks
|
| 22 |
CVE-2026-40729
Missing Authorization vulnerability in bPlugins 3D viewer - Embed 3D Models 3d-v
|
| 22 |
CVE-2026-40786
Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards al
|
| 22 |
CVE-2026-39653
Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing wit
|
| 22 |
CVE-2026-39627
Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incor
|
| 22 |
CVE-2026-39565
Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-ma
|
| 22 |
CVE-2026-39506
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro
|
| 22 |
CVE-2026-39485
Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embe
|
| 22 |
CVE-2026-39477
Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allo
|
| 22 |
CVE-2026-39476
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-li
|
| 22 |
CVE-2026-1924
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |