Total CVEs
2737
last 14 days
Avg Priority
33.0
of max 220
KEV
3
actively exploited
POC
359
public exploits
Unpatched
712
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 35 |
CVE-2026-5739
A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected
|
| 35 |
CVE-2026-30879
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-34510
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows med
|
| 35 |
CVE-2026-34404
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6
|
| 35 |
CVE-2026-39934
Loop with unreachable exit condition ('infinite loop') vulnerability in The Wiki
|
| 35 |
CVE-2026-33977
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 35 |
CVE-2026-34211
## Summary
The `@nyariv/sandboxjs` parser contains unbounded recursion in the `
|
| 35 |
CVE-2026-39351
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0,
|
| 35 |
CVE-2025-20628
An insufficient granularity of access control vulnerability exists in PingIDM (f
|
| 35 |
CVE-2026-1612
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that a
|
| 35 |
CVE-2026-22815
### Summary
Insufficient restrictions in header/trailer handling could cause un
|
| 35 |
CVE-2026-4901
Hydrosystem Control System saves sensitive information into a log file. Critical
|
| 35 |
CVE-2026-34426
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerabili
|
| 35 |
CVE-2026-34443
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 35 |
CVE-2026-5346
A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is
|
| 35 |
CVE-2026-5536
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the fu
|
| 35 |
CVE-2026-34504
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability i
|
| 35 |
CVE-2026-34235
PJSIP is a free and open source multimedia communication library written in C. P
|
| 35 |
CVE-2026-33576
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels
|
| 35 |
CVE-2026-35383
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source o
|
| 35 |
CVE-2026-5736
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unk
|
| 35 |
CVE-2026-5648
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5237
A security flaw has been discovered in itsourcecode Payroll Management System 1.
|
| 35 |
CVE-2026-5238
A weakness has been identified in itsourcecode Payroll Management System 1.0. Af
|
| 35 |
CVE-2026-5256
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5257
A vulnerability has been found in code-projects Simple Laundry System 1.0. This
|
| 35 |
CVE-2026-5195
A flaw has been found in code-projects Student Membership System 1.0. This issue
|
| 35 |
CVE-2026-5150
A security vulnerability has been detected in code-projects Accounting System 1.
|
| 35 |
CVE-2026-5334
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Imp
|
| 35 |
CVE-2026-5824
A security vulnerability has been detected in code-projects Simple Laundry Syste
|
| 35 |
CVE-2026-33088
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability
|
| 35 |
CVE-2026-27697
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-21630
Improperly built order clauses lead to a SQL injection vulnerability in the arti
|
| 35 |
CVE-2026-32662
Development and test API endpoints are present that mirror production functional
|
| 35 |
CVE-2026-5575
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0
|
| 35 |
CVE-2025-71280
XenForo before 2.3.7 allows information disclosure via local account page cachin
|
| 35 |
CVE-2026-34400
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API
|
| 35 |
CVE-2025-68152
Juju is an open source application orchestration engine that enables any applica
|
| 34 |
CVE-2026-39892
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g
|
| 34 |
CVE-2026-35647
OpenClaw before 2026.3.25 contains an access control vulnerability where verific
|
| 34 |
CVE-2026-5690
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted ele
|
| 34 |
CVE-2026-35627
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbo
|
| 34 |
CVE-2026-33773
An Incorrect Initialization of Resource vulnerability in the packet forwarding e
|
| 34 |
CVE-2026-6105
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7
|
| 34 |
CVE-2026-5691
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This af
|
| 34 |
CVE-2026-5689
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affec
|
| 34 |
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an
|
| 34 |
CVE-2026-35626
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulner
|
| 34 |
CVE-2026-35661
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Tele
|
| 34 |
CVE-2026-5974
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affe
|
| 34 |
CVE-2026-5503
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally
|
| 34 |
CVE-2026-5663
A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the
|
| 34 |
CVE-2026-35633
OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability
|
| 34 |
CVE-2026-34941
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 34 |
CVE-2026-34479
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape ch
|
| 34 |
CVE-2026-35667
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where th
|
| 34 |
CVE-2026-5669
A vulnerability has been found in Cyber-III Student-Management-System up to 1a93
|
| 34 |
CVE-2026-35665
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where th
|
| 34 |
CVE-2026-33774
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 34 |
CVE-2026-34480
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layou
|
| 34 |
CVE-2026-5672
A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0.
|
| 34 |
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in inte
|
| 34 |
CVE-2026-40178
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run pr
|
| 34 |
CVE-2026-35637
OpenClaw before 2026.3.22 performs cite expansion before completing channel and
|
| 34 |
CVE-2026-5813
A weakness has been identified in PHPGurukul Online Course Registration 3.1. Thi
|
| 34 |
CVE-2026-35655
OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP per
|
| 34 |
CVE-2026-34722
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 34 |
CVE-2026-35640
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook s
|
| 34 |
CVE-2026-35654
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Micr
|
| 34 |
CVE-2026-35664
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw
|
| 34 |
CVE-2026-34478
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/l
|
| 34 |
CVE-2025-59709
An issue was discovered in Biztalk360 through 11.5. because of mishandling of us
|
| 34 |
CVE-2026-31067
A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect
|
| 34 |
CVE-2026-33691
The OWASP core rule set (CRS) is a set of generic attack detection rules for use
|
| 34 |
CVE-2026-34775
### Impact
The `nodeIntegrationInWorker` webPreference was not correctly scoped
|
| 34 |
CVE-2026-34080
xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a pol
|
| 34 |
CVE-2026-4818
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which
|
| 34 |
CVE-2026-4931
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settl
|
| 34 |
CVE-2026-35586
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 34 |
CVE-2026-33990
## Summary
Docker Model Runner contains an SSRF vulnerability in its OCI registr
|
| 34 |
CVE-2026-30603
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.164
|
| 34 |
CVE-2026-4482
The installer certificate files in the …/bootstrap/common/ssl folder do not seem
|
| 34 |
CVE-2026-33786
An Improper Check for Unusual or Exceptional Conditions vulnerability in the cha
|
| 34 |
CVE-2026-40191
ClearanceKit intercepts file-system access events on macOS and enforces per-proc
|
| 34 |
CVE-2026-30817
An external configuration control vulnerability in the OpenVPN module of TP-Link
|
| 34 |
CVE-2026-33787
An Improper Check for Unusual or Exceptional Conditions vulnerability in the cha
|
| 34 |
CVE-2026-39961
Aiven Operator allows you to provision and manage Aiven Services from your Kuber
|
| 34 |
CVE-2026-35577
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operat
|
| 34 |
CVE-2026-33776
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS an
|
| 34 |
CVE-2026-30816
An external control of configuration vulnerability in the OpenVPN module of TP-L
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |