Total CVEs
5770
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
804
public exploits
Unpatched
1585
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 41 |
CVE-2026-32877
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0
|
| 41 |
CVE-2026-33508
### Impact
Parse Server's LiveQuery component does not enforce the `requestComp
|
| 41 |
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 41 |
CVE-2026-4828
Improper authentication in the OAuth login functionality in Devolutions Server 2
|
| 41 |
CVE-2026-5477
An integer overflow existed in the wolfCrypt CMAC implementation, that could be
|
| 41 |
CVE-2026-4924
Improper
authentication in the two-factor authentication (2FA) feature in
Devo
|
| 41 |
CVE-2026-34593
## Summary
`Ash.Type.Module.cast_input/2` unconditionally creates a new Erlang
|
| 41 |
CVE-2026-22733
Spring Boot applications with Actuator can be vulnerable to an "Authentication B
|
| 41 |
CVE-2026-22731
Spring Boot applications with Actuator can be vulnerable to an "Authentication B
|
| 41 |
CVE-2026-32030
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in t
|
| 41 |
CVE-2026-39364
### Summary
The contents of files that are specified by [`server.fs.deny`](http
|
| 41 |
CVE-2026-32829
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In vers
|
| 41 |
CVE-2026-2072
Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (
|
| 41 |
CVE-2026-35457
### Summary
The rendezvous server stores pagination cookies without bounds. An u
|
| 41 |
CVE-2026-32278
# Security Advisory - Form Plugin (Stored XSS)
## Summary
A Stored Cross-site
|
| 41 |
CVE-2026-2992
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is
|
| 41 |
CVE-2026-33009
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a dat
|
| 41 |
CVE-2026-31788
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd
|
| 41 |
CVE-2026-34375
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 41 |
CVE-2026-32763
### Summary
Kysely through 0.28.11 has a SQL injection vulnerability in JSON pa
|
| 41 |
CVE-2026-4984
The Twilio integration webhook handler accepts any POST request without validati
|
| 41 |
CVE-2026-22171
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in t
|
| 41 |
CVE-2026-32811
### Summary
When using heimdall in envoy gRPC decision API mode, wrong encoding
|
| 41 |
CVE-2026-33072
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to
|
| 41 |
CVE-2026-33163
### Impact
When a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a
|
| 41 |
CVE-2026-34725
### Summary
A stored XSS vulnerability exists in DbGate because attacker-control
|
| 41 |
CVE-2026-33206
calibre is a cross-platform e-book manager for viewing, converting, editing, and
|
| 41 |
CVE-2026-33941
## Summary
The Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.
|
| 41 |
CVE-2026-31921
Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for
|
| 41 |
CVE-2026-33748
### Impact
Insufficient validation of Git URL fragment subdir components (`<url>
|
| 41 |
CVE-2026-1116
A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` met
|
| 41 |
CVE-2026-34236
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From versio
|
| 41 |
CVE-2026-24063
When a plugin is installed using the Arturia Software Center (MacOS), it also in
|
| 41 |
CVE-2026-33979
## Description
A vulnerability has been identified in express-xss-sanitizer (<=
|
| 41 |
CVE-2026-4740
A flaw was found in Open Cluster Management (OCM), the technology underlying Red
|
| 41 |
CVE-2026-33243
barebox is a bootloader. In barebox from version 2016.03.0 to before version 202
|
| 41 |
CVE-2026-40163
Saltcorn is an extensible, open source, no-code database application builder. Pr
|
| 41 |
CVE-2026-40073
SvelteKit is a framework for rapidly developing robust, performant web applicati
|
| 41 |
CVE-2026-40168
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/s
|
| 41 |
CVE-2026-34578
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNs
|
| 41 |
CVE-2026-34982
Vim is an open source, command line text editor. Prior to version 9.2.0276, a mo
|
| 41 |
CVE-2026-39429
### Summary
The cache server is directly exposed by the root shard and has no a
|
| 41 |
CVE-2026-33037
WWBN AVideo is an open source video platform. In versions 25.0 and below, the of
|
| 41 |
CVE-2026-2603
A flaw was found in Keycloak. A remote attacker could bypass security controls b
|
| 41 |
CVE-2026-34783
## Summary
A path traversal vulnerability in Ferret's `IO::FS::WRITE` standard
|
| 41 |
CVE-2026-33482
## Summary
The `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/fun
|
| 41 |
CVE-2026-33496
## Description
Ory Oathkeeper is vulnerable to authentication bypass due to cac
|
| 41 |
CVE-2026-33949
### Summary
A Path Traversal vulnerability in `@tinacms/graphql` allows unauthen
|
| 41 |
CVE-2026-4021
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypa
|
| 41 |
CVE-2026-32531
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-22324
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27093
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-33038
## Summary
The `install/checkConfiguration.php` endpoint performs full applicati
|
| 41 |
CVE-2026-4272
Missing Authentication for Critical Function vulnerability in Honeywell Handheld
|
| 41 |
CVE-2026-4350
The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion vi
|
| 41 |
CVE-2026-32841
Edimax GS-5008PL firmware version 1.00.54 and prior contain an authentication by
|
| 41 |
CVE-2026-4101
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 41 |
CVE-2026-34528
## Summary
The `signupHandler` in File Browser applies default user permissions
|
| 41 |
CVE-2026-32808
pyLoad is a free and open-source download manager written in Python. Versions be
|
| 41 |
CVE-2026-25471
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themep
|
| 41 |
CVE-2026-4347
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due t
|
| 41 |
CVE-2026-33938
## Summary
The `@partial-block` special variable is stored in the template data
|
| 41 |
CVE-2026-4800
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h
|
| 41 |
CVE-2026-35607
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 41 |
CVE-2026-27625
Stirling-PDF is a locally hosted web application that performs various operation
|
| 41 |
CVE-2026-30975
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 h
|
| 41 |
CVE-2026-34522
### Summary
A path traversal vulnerability in `/api/chats/import` allows an auth
|
| 41 |
CVE-2026-4351
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite v
|
| 41 |
CVE-2026-32730
# MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
## Sum
|
| 41 |
CVE-2026-32504
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27048
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-22513
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27081
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27079
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27078
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27077
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27076
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-27047
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25464
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25458
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25457
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-32503
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25381
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25380
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25379
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-22496
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-32727
SciTokens is a reference library for generating and using SciTokens. Prior to ve
|
| 41 |
CVE-2026-32500
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-25017
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-22494
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |