Total CVEs
2732
last 14 days
Avg Priority
35.7
of max 220
KEV
4
actively exploited
POC
319
public exploits
Unpatched
546
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 22 |
CVE-2026-5894
Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allo
|
| 22 |
CVE-2026-33005
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeeting
|
| 22 |
CVE-2026-4002
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in
|
| 22 |
CVE-2026-35181
**Severity:** Medium
**CWE:** CWE-352 (Cross-Site Request Forgery)
## Summary
|
| 22 |
CVE-2026-35180
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the si
|
| 22 |
CVE-2026-4141
The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request
|
| 22 |
CVE-2026-2619
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 bef
|
| 22 |
CVE-2026-1673
The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Plug
|
| 22 |
CVE-2026-2104
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2
|
| 22 |
CVE-2025-9484
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 bef
|
| 22 |
CVE-2026-1752
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 bef
|
| 22 |
CVE-2026-33214
Weblate is a web based localization tool. In versions prior to 5.17, the transla
|
| 22 |
CVE-2026-6451
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-S
|
| 22 |
CVE-2026-6298
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a
|
| 22 |
CVE-2026-39618
Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo al
|
| 22 |
CVE-2026-5889
Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an
|
| 22 |
CVE-2026-4949
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User
|
| 22 |
CVE-2026-33460
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information
|
| 22 |
CVE-2026-40486
### Summary
A Mass Assignment / Broken Object Property Level Authorization (BOPA
|
| 22 |
CVE-2025-53444
Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows C
|
| 22 |
CVE-2026-0814
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorize
|
| 22 |
CVE-2026-40305
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 22 |
CVE-2026-35411
### Summary
Directus is vulnerable to an Open Redirect via the redirect query p
|
| 22 |
CVE-2025-15635
Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order fo
|
| 21 |
CVE-2026-24318
Due to an Insecure session management vulnerability in SAP Business Objects Busi
|
| 21 |
CVE-2026-35041
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0,
|
| 21 |
CVE-2026-32602
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpo
|
| 21 |
CVE-2026-39413
## Summary
The LightRAG API is vulnerable to a JWT algorithm confusion attack wh
|
| 21 |
CVE-2026-22574
A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR
|
| 21 |
CVE-2026-1163
An insufficient session expiration vulnerability exists in the latest version of
|
| 21 |
CVE-2026-27683
SAP BusinessObjects Business Intelligence application allows an authenticated at
|
| 21 |
CVE-2026-35601
## Summary
The CalDAV output generator builds iCalendar VTODO entries via raw s
|
| 21 |
CVE-2026-21009
Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Relea
|
| 21 |
CVE-2026-5507
When restoring a session from cache, a pointer from the serialized session data
|
| 21 |
CVE-2025-43883
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check fo
|
| 21 |
CVE-2026-39845
Weblate is a web based localization tool. In versions prior to 5.17, the webhook
|
| 21 |
CVE-2026-34944
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 21 |
CVE-2026-34860
Access control vulnerability in the memo module.
Impact: Successful exploitation
|
| 21 |
CVE-2026-34858
UAF vulnerability in the communication module.
Impact: Successful exploitation o
|
| 20 |
CVE-2026-35177
Vim is an open source, command line text editor. Prior to 9.2.0280, a path trave
|
| 20 |
CVE-2026-40394
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "w
|
| 20 |
CVE-2026-40395
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of serv
|
| 20 |
CVE-2026-33414
## Summary
A command injection vulnerability exists in Podman's HyperV machine
|
| 20 |
CVE-2026-39572
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 20 |
CVE-2026-39566
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 20 |
CVE-2026-39316
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 20 |
CVE-2026-39314
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 20 |
CVE-2026-40386
In libexif through 0.6.25, an integer underflow in size checking for Fuji and Ol
|
| 20 |
CVE-2026-0232
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent
|
| 20 |
CVE-2026-40385
In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote
|
| 20 |
CVE-2026-40396
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (da
|
| 20 |
CVE-2026-33555
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not chec
|
| 19 |
CVE-2026-40184
TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded pho
|
| 19 |
CVE-2026-21388
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {
|
| 19 |
CVE-2026-24661
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the
|
| 19 |
CVE-2026-34166
## Summary
The `replace` filter in LiquidJS incorrectly accounts for memory usa
|
| 19 |
CVE-2026-35448
## Summary
The BlockonomicsYPT plugin's `check.php` endpoint returns payment or
|
| 19 |
CVE-2026-40097
Step CA is an online certificate authority for secure, automated certificate man
|
| 19 |
CVE-2026-33877
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 19 |
CVE-2026-40263
### Summary
A timing side-channel in the login endpoint allows unauthenticated a
|
| 19 |
CVE-2026-40194
phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1
|
| 19 |
CVE-2026-37977
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resou
|
| 18 |
CVE-2026-40077
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in t
|
| 18 |
CVE-2026-33551
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.
|
| 18 |
CVE-2026-35679
Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under cert
|
| 18 |
CVE-2026-34454
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 provid
|
| 18 |
CVE-2026-35400
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
|
| 17 |
CVE-2026-33404
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 17 |
CVE-2026-28264
Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorre
|
| 17 |
CVE-2026-21727
---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
|
| 16 |
CVE-2026-39419
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 16 |
CVE-2026-3155
The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to aut
|
| 16 |
CVE-2026-33212
Weblate is a web based localization tool. In versions prior to 5.17, the tasks A
|
| 16 |
CVE-2026-33405
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 16 |
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher
|
| 16 |
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101
|
| 16 |
CVE-2026-6312
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.772
|
| 16 |
CVE-2026-33436
Stirling-PDF is a locally hosted web application that facilitates various operat
|
| 15 |
CVE-2026-5382
An issue that could expose records outside of the authorized organization scope
|
| 15 |
CVE-2026-5379
An issue that allowed MCP agents to access certificate information from outside
|
| 15 |
CVE-2026-33948
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db284
|
| 15 |
CVE-2026-40354
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Fla
|
| 15 |
CVE-2026-41080
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occu
|
| 15 |
CVE-2026-40228
In systemd 259, systemd-journald can send ANSI escape sequences to the terminals
|
| 15 |
CVE-2026-40947
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager be
|
| 15 |
CVE-2025-52641
HCL AION is affected by a vulnerability where certain system behaviours may allo
|
| 14 |
CVE-2026-34781
### Impact
Apps that call `clipboard.readImage()` may be vulnerable to a denial
|
| 14 |
CVE-2026-37598
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitr
|
| 14 |
CVE-2025-15480
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user cr
|
| 14 |
CVE-2025-14551
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials durin
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |