Total CVEs
2374
last 14 days
Avg Priority
26.2
of max 220
KEV
7
actively exploited
POC
137
public exploits
Unpatched
389
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
116
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console,
108
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
92
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
89
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authentica
Priority Distribution
| Priority | CVE |
|---|---|
| 64 |
CVE-2026-32847
DeepCode through commit c991dc2 contains a path traversal vulnerability in the S
|
| 57 |
CVE-2026-9346
A flaw has been found in Edimax EW-7438RPn up to 1.31. This impacts the function
|
| 57 |
CVE-2026-9345
A vulnerability was detected in Edimax EW-7438RPn up to 1.31. This affects the f
|
| 57 |
CVE-2026-9360
A security flaw has been discovered in Edimax EW-7438RPn 1.28a. Affected by this
|
| 57 |
CVE-2026-9344
A security vulnerability has been detected in Edimax EW-7438RPn up to 1.31. The
|
| 57 |
CVE-2026-9348
A vulnerability was found in Edimax EW-7438RPn up to 1.31. Affected by this vuln
|
| 57 |
CVE-2026-8775
A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2
|
| 57 |
CVE-2026-8776
A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affe
|
| 57 |
CVE-2026-9295
A security flaw has been discovered in Edimax BR-6428NS 1.10. This affects the f
|
| 57 |
CVE-2026-9294
A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is
|
| 57 |
CVE-2026-8764
A security vulnerability has been detected in H3C Magic B3 up to 100R002. This a
|
| 56 |
CVE-2025-70103
Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to th
|
| 56 |
CVE-2026-31266
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in th
|
| 54 |
CVE-2026-8603
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an a
|
| 54 |
CVE-2026-8602
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnera
|
| 53 |
CVE-2026-8604
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigge
|
| 45 |
CVE-2026-8135
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to inse
|
| 44 |
CVE-2026-8832
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code
|
| 44 |
CVE-2026-27648
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code ex
|
| 44 |
CVE-2026-6228
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege
|
| 44 |
CVE-2026-7522
The Advanced Database Cleaner - Premium plugin for WordPress is vulnerable to Lo
|
| 44 |
CVE-2026-24217
NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause
|
| 44 |
CVE-2026-46414
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 44 |
CVE-2026-47161
RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7
|
| 44 |
CVE-2026-8787
The Firebase Support & Chat Management plugin for WordPress is vulnerable to pri
|
| 44 |
CVE-2026-48920
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining im
|
| 44 |
CVE-2026-38807
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker
|
| 44 |
CVE-2026-6456
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation
|
| 44 |
CVE-2026-8719
The AI Engine - The Chatbot, AI Framework & MCP for WordPress plugin for WordPre
|
| 44 |
CVE-2026-6895
The WishList Member plugin for WordPress is vulnerable to Missing Authorization
|
| 44 |
CVE-2026-6897
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modificat
|
| 44 |
CVE-2026-44988
LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and
|
| 44 |
CVE-2026-6419
The WishList Member plugin for WordPress is vulnerable to Privilege Escalation v
|
| 44 |
CVE-2026-6898
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modificat
|
| 44 |
CVE-2026-7467
The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escala
|
| 44 |
CVE-2026-5200
The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution
|
| 44 |
CVE-2026-41075
RT is an open source, enterprise-grade issue and ticket tracking system. Version
|
| 44 |
CVE-2026-39461
libcasper(3) communicates with helper processes via UNIX domain sockets, and use
|
| 44 |
CVE-2026-31069
BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerabilit
|
| 44 |
CVE-2026-44925
Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations
|
| 44 |
CVE-2026-9018
The Easy Elements for Elementor - Addons & Website Templates plugin for WordPres
|
| 44 |
CVE-2026-36044
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enume
|
| 44 |
CVE-2026-5065
IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credential
|
| 44 |
CVE-2026-36828
A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint
|
| 44 |
CVE-2026-7802
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authoriza
|
| 44 |
CVE-2026-44926
InfoScale CmdServer before 7.4.2 mishandles access control.
|
| 44 |
CVE-2026-45230
DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /a
|
| 44 |
CVE-2026-9089
The ConnectWise Automate™ Agent does not fully verify the authenticity of compon
|
| 44 |
CVE-2026-41085
Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalat
|
| 44 |
CVE-2026-45578
## Summary
**Type:** Classic shell-metacharacter injection. The YPTSocket notif
|
| 44 |
CVE-2026-46826
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (componen
|
| 44 |
CVE-2026-8992
An improper certificate validation vulnerability in Ivanti Secure Access Client
|
| 44 |
CVE-2026-6226
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthent
|
| 44 |
CVE-2026-46837
Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suit
|
| 44 |
CVE-2026-7498
Improper neutralization of input during web page generation ('cross-site scripti
|
| 44 |
CVE-2026-9009
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnera
|
| 44 |
CVE-2026-8179
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
|
| 44 |
CVE-2026-4944
vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remot
|
| 44 |
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.
|
| 44 |
CVE-2026-46827
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (componen
|
| 44 |
CVE-2026-9227
The GutenBee - Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary
|
| 44 |
CVE-2026-8915
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflo
|
| 44 |
CVE-2026-8696
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() fu
|
| 44 |
CVE-2026-48544
Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in
|
| 44 |
CVE-2026-40812
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40850
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40819
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40811
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40814
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40810
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40815
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-9003
E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerabil
|
| 44 |
CVE-2026-40813
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40817
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40818
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-40816
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 44 |
CVE-2026-47356
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF)
|
| 44 |
CVE-2026-40165
authentik is an open-source identity provider. Versions 2025.12.4 and prior, and
|
| 44 |
CVE-2026-42096
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communicati
|
| 44 |
CVE-2026-42098
Sparx Enterprise Architect software has a security feature that limits user's ac
|
| 44 |
CVE-2026-6346
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail
|
| 44 |
CVE-2026-6009
Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote
|
| 43 |
CVE-2026-42737
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 43 |
CVE-2026-45298
## Summary
In a default dozzle deploy (the documented quickstart, no `DOZZLE_AU
|
| 43 |
CVE-2026-9038
A stack-based buffer overflow vulnerability in the charging controller’s signal-
|
| 43 |
CVE-2026-32997
A vulnerability allowing an authenticated user with the Backup Administrator rol
|
| 43 |
CVE-2026-8652
An OS Command Injection vulnerability exists in Aterm. If a malicious third pers
|
| 43 |
CVE-2026-3515
A vulnerability in the `GitHubRepository` block of the `prefect-github` integrat
|
| 43 |
CVE-2025-54517
Out of bounds write in AMD AMDGV_CMD_GET_DIAG_DATA ioctl handler could allow a l
|
| 43 |
CVE-2026-42730
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |
1 / 4
Next