Total CVEs
2378
last 14 days
Avg Priority
26.2
of max 220
KEV
7
actively exploited
POC
137
public exploits
Unpatched
392
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 32 |
CVE-2026-20685
An attacker in a privileged network position may be able to leak sensitive infor
|
| 32 |
CVE-2026-3676
IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM
|
| 32 |
CVE-2026-39969
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cl
|
| 32 |
CVE-2026-21836
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerabilit
|
| 32 |
CVE-2026-44645
## Summary
The `renderLimit` option - documented in `docs/source/tutorials/dos.
|
| 32 |
CVE-2026-45619
CVE-2026-43884 fix `603e7bf` patched `EpgParser.php` and `plugin/AI/receiveAsync
|
| 32 |
CVE-2026-7048
The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress
|
| 32 |
CVE-2026-1402
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1
|
| 32 |
CVE-2026-45149
The `max` option was being applied too late:
When expanding a single large nume
|
| 32 |
CVE-2026-5163
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when proc
|
| 32 |
CVE-2026-46556
###Summary
A Server-Side Request Forgery (SSRF) vulnerability in get_image_info(
|
| 32 |
CVE-2026-5737
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Requ
|
| 32 |
CVE-2026-45582
## Summary
In affected versions of n8n-mcp, the workflow telemetry sanitizer co
|
| 32 |
CVE-2026-45719
# Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parame
|
| 32 |
CVE-2026-33464
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of se
|
| 32 |
CVE-2026-3117
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly che
|
| 32 |
CVE-2026-24573
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-45679
### Summary
OBI exports raw Redis error text as the span status message. Becaus
|
| 32 |
CVE-2026-3471
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid
|
| 32 |
CVE-2026-9035
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
|
| 32 |
CVE-2026-9796
A flaw was found in Keycloak. An authenticated administrator with the `manage-cl
|
| 32 |
CVE-2026-46551
### Summary
The `uploadViaURL` path in the v1/v2 attachment API did not enforce
|
| 32 |
CVE-2026-3173
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Objec
|
| 32 |
CVE-2026-48710
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the H
|
| 32 |
CVE-2026-44056
In Netatalk 1.3 through 4.2.2, stack buffer overflow in desktop.c. Fixed in 4.5.
|
| 32 |
CVE-2026-5293
The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to
|
| 32 |
CVE-2026-2955
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-35070
Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper
|
| 32 |
CVE-2026-6646
The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via th
|
| 32 |
CVE-2026-8884
The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored
|
| 32 |
CVE-2026-6415
The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to S
|
| 32 |
CVE-2026-6397
The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
|
| 32 |
CVE-2026-6549
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-S
|
| 32 |
CVE-2026-8872
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-8844
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-9022
The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 32 |
CVE-2026-8891
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-8899
The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-8038
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-8698
The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable t
|
| 32 |
CVE-2026-8701
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-8702
The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-8897
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-8837
The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-8869
The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 32 |
CVE-2026-8866
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-8873
The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 32 |
CVE-2026-8887
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-8886
The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-8042
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-8040
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 32 |
CVE-2026-8870
The Team Master - A Modern WordPress Team Showcase plugin for WordPress is vulne
|
| 32 |
CVE-2026-8867
The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 32 |
CVE-2026-8871
The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2026-8868
The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-8846
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 32 |
CVE-2026-8875
The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored C
|
| 32 |
CVE-2026-8847
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
|
| 32 |
CVE-2026-8898
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-6565
The Style Kits - Advanced Theme Styles for Elementor, Elementor Kits & Elementor
|
| 32 |
CVE-2026-8877
The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross
|
| 32 |
CVE-2026-8048
The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2026-8845
The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-2030
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-8894
The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 32 |
CVE-2026-8703
The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-8842
The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 32 |
CVE-2026-3895
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-3896
The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cro
|
| 32 |
CVE-2026-3897
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Sto
|
| 32 |
CVE-2026-1543
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-4334
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-45703
### Summary
The `WordExport` export flow only checks whether the current backen
|
| 32 |
CVE-2026-6427
The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-44462
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system ca
|
| 32 |
CVE-2026-9104
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-9087
A flaw was found in Keycloak. The cross-session verification proof is keyed only
|
| 32 |
CVE-2026-9644
The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to S
|
| 32 |
CVE-2026-7509
The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-24142
NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and u
|
| 32 |
CVE-2025-67031
ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an aut
|
| 32 |
CVE-2026-9373
A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unkno
|
| 32 |
CVE-2026-8337
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable,
|
| 32 |
CVE-2026-8236
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authe
|
| 32 |
CVE-2026-8238
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversat
|
| 32 |
CVE-2026-8237
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversat
|
| 32 |
CVE-2026-42335
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.
|
| 32 |
CVE-2026-8204
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calend
|
| 32 |
CVE-2026-8239
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversat
|
| 32 |
CVE-2026-8205
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calend
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |