Total CVEs
2378
last 14 days
Avg Priority
26.2
of max 220
KEV
7
actively exploited
POC
137
public exploits
Unpatched
392
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2026-6228
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege
|
| 44 |
CVE-2026-7522
The Advanced Database Cleaner - Premium plugin for WordPress is vulnerable to Lo
|
| 44 |
CVE-2026-45495
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
|
| 44 |
CVE-2026-24217
NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause
|
| 44 |
CVE-2026-44047
In Netatalk 3.1.0 through 4.4.2, sql injection in mysql cnid backend. Fixed in 4
|
| 44 |
CVE-2026-9207
Tanium addressed an unauthorized code execution vulnerability in Connect.
|
| 44 |
CVE-2026-35430
Authorization bypass through user-controlled key in Azure Privileged Identity Ma
|
| 44 |
CVE-2026-8975
Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox
|
| 44 |
CVE-2026-8974
Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these
|
| 44 |
CVE-2026-46414
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 44 |
CVE-2026-47161
RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7
|
| 44 |
CVE-2026-48920
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining im
|
| 44 |
CVE-2026-8787
The Firebase Support & Chat Management plugin for WordPress is vulnerable to pri
|
| 44 |
CVE-2026-8970
Privilege escalation in the Security component. This vulnerability was fixed in
|
| 44 |
CVE-2026-38807
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker
|
| 44 |
CVE-2026-8973
Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of
|
| 44 |
CVE-2026-6456
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation
|
| 44 |
CVE-2026-6898
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modificat
|
| 44 |
CVE-2026-44988
LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and
|
| 44 |
CVE-2026-32740
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and
|
| 44 |
CVE-2026-6419
The WishList Member plugin for WordPress is vulnerable to Privilege Escalation v
|
| 44 |
CVE-2026-6897
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modificat
|
| 44 |
CVE-2026-8719
The AI Engine - The Chatbot, AI Framework & MCP for WordPress plugin for WordPre
|
| 44 |
CVE-2026-6895
The WishList Member plugin for WordPress is vulnerable to Missing Authorization
|
| 44 |
CVE-2026-5200
The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution
|
| 44 |
CVE-2026-7467
The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escala
|
| 44 |
CVE-2026-9126
Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remo
|
| 44 |
CVE-2026-8955
Privilege escalation in the DOM: Workers component. This vulnerability was fixed
|
| 44 |
CVE-2026-8957
Privilege escalation in the Enterprise Policies component. This vulnerability wa
|
| 44 |
CVE-2026-41075
RT is an open source, enterprise-grade issue and ticket tracking system. Version
|
| 44 |
CVE-2026-46586
Improper Control of Generation of Code ('Code Injection'), Improper Neutralizati
|
| 44 |
CVE-2026-9118
Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed
|
| 44 |
CVE-2026-9112
Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowe
|
| 44 |
CVE-2026-9114
Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a rem
|
| 44 |
CVE-2026-8952
Privilege escalation in the Application Update component. This vulnerability was
|
| 44 |
CVE-2026-8972
Privilege escalation in the WebRTC: Audio/Video component. This vulnerability wa
|
| 44 |
CVE-2026-9120
Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remo
|
| 44 |
CVE-2026-44713
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 44 |
CVE-2026-9121
Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a
|
| 44 |
CVE-2026-9111
Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.179 allow
|
| 44 |
CVE-2026-9119
Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allow
|
| 44 |
CVE-2026-39461
libcasper(3) communicates with helper processes via UNIX domain sockets, and use
|
| 44 |
CVE-2026-43490
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vali
|
| 44 |
CVE-2026-31069
BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerabilit
|
| 44 |
CVE-2026-44925
Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations
|
| 44 |
CVE-2026-47125
## Summary
The `PUT /api/environments/{id}/templates/variables` endpoint, which
|
| 44 |
CVE-2026-7498
Improper neutralization of input during web page generation ('cross-site scripti
|
| 44 |
CVE-2026-35675
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the pas
|
| 44 |
CVE-2026-35676
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability i
|
| 44 |
CVE-2026-45578
## Summary
**Type:** Classic shell-metacharacter injection. The YPTSocket notif
|
| 44 |
CVE-2026-6406
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI)
|
| 44 |
CVE-2026-45717
## Summary
Budibase exposes a REST API for datasource management. The route `PU
|
| 44 |
CVE-2026-9009
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnera
|
| 44 |
CVE-2026-9227
The GutenBee - Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary
|
| 44 |
CVE-2026-8179
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
|
| 44 |
CVE-2026-6226
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthent
|
| 44 |
CVE-2026-45805
### Summary
The MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:440
|
| 44 |
CVE-2026-46519
## Summary
`mcp-server-kubernetes` exposes three environment variables (`ALLOW_
|
| 44 |
CVE-2026-9208
Tanium addressed an unauthorized code execution vulnerability in Connect.
|
| 44 |
CVE-2026-41085
Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalat
|
| 44 |
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.
|
| 44 |
CVE-2026-45044
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta
|
| 44 |
CVE-2026-48235
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/r
|
| 44 |
CVE-2026-5065
IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credential
|
| 44 |
CVE-2026-46826
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (componen
|
| 44 |
CVE-2026-46827
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (componen
|
| 44 |
CVE-2026-8992
An improper certificate validation vulnerability in Ivanti Secure Access Client
|
| 44 |
CVE-2026-36044
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enume
|
| 44 |
CVE-2026-36828
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint
|
| 44 |
CVE-2026-44926
InfoScale CmdServer before 7.4.2 mishandles access control.
|
| 44 |
CVE-2026-46612
### Summary
The Fission `storagesvc` component registers archive CRUD handlers
|
| 44 |
CVE-2026-44741
# GM-369
## Summary
SQL injection in Pimcore's translation grid date filter - t
|
| 44 |
CVE-2026-8676
An attacker is able to downgrade the security of a Bluetooth LE connection by de
|
| 44 |
CVE-2026-4944
vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remot
|
| 44 |
CVE-2026-49127
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflo
|
| 44 |
CVE-2026-46837
Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suit
|
| 44 |
CVE-2026-8915
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflo
|
| 44 |
CVE-2026-45230
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /a
|
| 44 |
CVE-2026-9018
The Easy Elements for Elementor - Addons & Website Templates plugin for WordPres
|
| 44 |
CVE-2026-9089
The ConnectWise Automate™ Agent does not fully verify the authenticity of compon
|
| 44 |
CVE-2026-45716
## Summary
The `POST /api/global/users/onboard` endpoint is protected by `works
|
| 44 |
CVE-2026-42305
## Impact
Arbitrary file write leading to remote code execution when cloning or
|
| 44 |
CVE-2026-7802
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authoriza
|
| 44 |
CVE-2026-8695
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list()
|
| 44 |
CVE-2026-8696
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() fu
|
| 44 |
CVE-2026-48544
Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in
|
| 44 |
CVE-2026-3294
An authentication logic vulnerability in multiple TP-Link range extenders allows
|
| 44 |
CVE-2026-44886
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 202
|
| 44 |
CVE-2026-46366
phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the ge
|
| 44 |
CVE-2025-41669
The Web-based Management allows a remote low privileged Engineer user to install
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |