Total CVEs
6202
last 30 days
Avg Priority
31.3
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
938
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
118
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
Priority Distribution
| Priority | CVE |
|---|---|
| 136 |
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Capti
|
| 133 |
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0
|
| 131 |
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1,
|
| 131 |
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripti
|
| 127 |
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a
|
| 126 |
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defe
|
| 120 |
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possi
|
| 118 |
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicio
|
| 117 |
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) fo
|
| 117 |
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON T
|
| 116 |
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious ver
|
| 108 |
CVE-2026-9082
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 92 |
CVE-2026-45498
Microsoft Defender Denial of Service Vulnerability
|
| 89 |
CVE-2026-34926
A directory traversal vulnerability in the Apex One (on-premise) server could al
|
| 69 |
CVE-2026-24118
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows atta
|
| 69 |
CVE-2026-26956
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerab
|
| 69 |
CVE-2026-24120
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix f
|
| 69 |
CVE-2026-31072
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.1
|
| 69 |
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable u
|
| 68 |
CVE-2026-6722
Pre-NVD disclosure via GitHub release 'PHP 8.2.31' (php/php-src). The PHP develo
|
| 67 |
CVE-2026-41922
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-43944
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ft
|
| 67 |
CVE-2026-41923
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2025-71284
Synway SMG Gateway Management Software contains an OS command injection vulnerab
|
| 67 |
CVE-2026-41925
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41926
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41924
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-44643
Angular Expressions provides expressions for the Angular.JS web framework as a s
|
| 67 |
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows
|
| 67 |
CVE-2026-41947
Dify version 1.14.1 and prior contains an authorization bypass vulnerability tha
|
| 66 |
CVE-2026-24444
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 con
|
| 66 |
CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_mo
|
| 66 |
CVE-2026-31071
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack au
|
| 66 |
CVE-2026-45091
sealed-env is a cross-stack, zero-trust secret management library for Node.js an
|
| 65 |
CVE-2026-7538
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This iss
|
| 65 |
CVE-2026-7823
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Aff
|
| 65 |
CVE-2026-7747
A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected
|
| 65 |
CVE-2026-7719
A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The
|
| 65 |
CVE-2026-7854
A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affecte
|
| 65 |
CVE-2026-7853
A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the fun
|
| 65 |
CVE-2026-43639
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerabili
|
| 65 |
CVE-2026-5787
An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7
|
| 64 |
CVE-2026-7834
A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This i
|
| 64 |
CVE-2026-5786
An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1
|
| 64 |
CVE-2026-3220
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin
|
| 64 |
CVE-2026-43284
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp:
|
| 64 |
CVE-2026-44499
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a compos
|
| 64 |
CVE-2026-32834
Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contai
|
| 64 |
CVE-2026-29514
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerabilit
|
| 64 |
CVE-2026-43634
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that
|
| 64 |
CVE-2026-32847
DeepCode through commit c991dc2 contains a path traversal vulnerability in the S
|
| 64 |
CVE-2026-34965
Cockpit CMS contains an authenticated remote code execution vulnerability in the
|
| 63 |
CVE-2026-43640
Bitwarden Server prior to v2026.4.1 does not require master-password re-authenti
|
| 63 |
CVE-2026-6379
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly san
|
| 63 |
CVE-2026-4935
The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does
|
| 63 |
CVE-2026-47114
IINA before 1.4.3 contains a user-assisted command execution vulnerability that
|
| 63 |
CVE-2026-7862
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not proper
|
| 63 |
CVE-2026-42899
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an
|
| 63 |
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passk
|
| 62 |
CVE-2026-35433
Improper input validation in .NET allows an unauthorized attacker to elevate pri
|
| 62 |
CVE-2026-32177
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate pr
|
| 62 |
CVE-2026-41927
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based bu
|
| 62 |
CVE-2026-45369
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitut
|
| 61 |
CVE-2026-41471
Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier conta
|
| 61 |
CVE-2026-41949
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in t
|
| 61 |
CVE-2026-41470
LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP
|
| 61 |
CVE-2026-44331
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqlta
|
| 59 |
CVE-2026-46300
A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. This vulnerabi
|
| 59 |
CVE-2026-44244
`GitConfigParser.set_value()` passes values to Python's `configparser` without v
|
| 59 |
CVE-2026-43500
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also
|
| 59 |
CVE-2026-45370
python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_envir
|
| 59 |
CVE-2026-44738
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-l
|
| 58 |
CVE-2026-34473
Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H26
|
| 58 |
CVE-2026-37555
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path
|
| 58 |
CVE-2026-6321
fast-uri decoded percent-encoded path separators and dot segments before applyin
|
| 58 |
CVE-2026-6322
fast-uri normalize() decoded percent-encoded authority delimiters inside the hos
|
| 58 |
CVE-2026-7461
Improper neutralization of inputs used in an OS command in the FSx Windows File
|
| 58 |
CVE-2026-6381
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a paramete
|
| 58 |
CVE-2026-34474
Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A
|
| 58 |
CVE-2026-42154
Prometheus is an open-source monitoring system and time series database. Prior t
|
| 58 |
CVE-2026-42151
Prometheus is an open-source monitoring system and time series database. Prior t
|
| 58 |
CVE-2025-15609
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API
|
| 58 |
CVE-2026-10044
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vul
|
| 57 |
CVE-2026-7750
A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerabil
|
| 57 |
CVE-2026-7749
A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. T
|
| 57 |
CVE-2026-7748
A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by t
|
| 57 |
CVE-2026-8137
A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vu
|
| 57 |
CVE-2026-7717
A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issu
|
| 57 |
CVE-2026-8138
A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the fun
|
| 57 |
CVE-2026-7470
A flaw has been found in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. Affected
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |
1 / 69
Next