Total CVEs
5770
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
804
public exploits
Unpatched
1585
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-39517
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39666
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39646
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-32008
OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation v
|
| 33 |
CVE-2026-39575
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39674
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-2720
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of s
|
| 33 |
CVE-2026-39692
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-33954
LinkAce is a self-hosted archive to collect website links. In versions prior to
|
| 33 |
CVE-2026-34395
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the pl
|
| 33 |
CVE-2026-32697
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 33 |
CVE-2026-33469
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 33 |
CVE-2026-33676
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 33 |
CVE-2026-33304
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-39368
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Li
|
| 33 |
CVE-2026-30886
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 33 |
CVE-2026-33470
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 33 |
CVE-2025-32223
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor
|
| 33 |
CVE-2026-32758
## Description
The `resourcePatchHandler` in `http/resource.go` validates the d
|
| 33 |
CVE-2026-32761
### Summary
A permission enforcement flaw allows users without download privileg
|
| 33 |
CVE-2026-33495
## Description
Ory Oathkeeper is often deployed behind other components like CD
|
| 33 |
CVE-2026-3098
The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in
|
| 33 |
CVE-2026-33931
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-5905
Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.
|
| 33 |
CVE-2026-5207
The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order
|
| 33 |
CVE-2026-2412
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injec
|
| 33 |
CVE-2026-34586
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user
|
| 33 |
CVE-2026-2503
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection v
|
| 33 |
CVE-2026-33907
## Summary
Ella Core panics when processing Authentication Response and Authent
|
| 33 |
CVE-2026-39374
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBul
|
| 33 |
CVE-2026-34737
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the St
|
| 33 |
CVE-2026-22901
A command injection vulnerability has been reported to affect QuNetSwitch. If a
|
| 33 |
CVE-2026-25937
GLPI is a free Asset and IT management software package. Starting in version 11.
|
| 33 |
CVE-2026-34036
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensi
|
| 33 |
CVE-2026-32818
Admidio is an open-source user management solution. In versions 5.0.0 through 5.
|
| 33 |
CVE-2026-33730
Open Source Point of Sale (opensourcepos) is a web based point of sale applicati
|
| 33 |
CVE-2026-1865
The User Registration & Membership - Free & Paid Memberships, Subscriptions, Con
|
| 33 |
CVE-2026-25744
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-26939
Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Managemen
|
| 33 |
CVE-2026-25745
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-39354
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an
|
| 33 |
CVE-2026-25834
Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
|
| 33 |
CVE-2026-29597
Incorrect access control in the file_details.asp endpoint of DDSN Interactive Ac
|
| 33 |
CVE-2025-14790
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attac
|
| 33 |
CVE-2025-14915
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 33 |
CVE-2026-32120
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-3214
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 33 |
CVE-2026-20690
An out-of-bounds access issue was addressed with improved bounds checking. This
|
| 33 |
CVE-2026-28878
A privacy issue was addressed by removing sensitive data. This issue is fixed in
|
| 33 |
CVE-2026-34779
### Impact
On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallba
|
| 33 |
CVE-2026-34788
Emlog is an open source website building system. In versions 2.6.2 and prior, a
|
| 33 |
CVE-2026-3531
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 33 |
CVE-2026-20083
A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE
|
| 33 |
CVE-2026-34740
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EP
|
| 33 |
CVE-2026-20042
A vulnerability in the configuration backup feature of Cisco Nexus Dashboard cou
|
| 33 |
CVE-2026-3527
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashbo
|
| 33 |
CVE-2025-69988
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An un
|
| 33 |
CVE-2026-3121
A flaw was found in Keycloak. An administrator with `manage-clients` permission
|
| 33 |
CVE-2026-5919
Insufficient validation of untrusted input in WebSockets in Google Chrome prior
|
| 33 |
CVE-2026-32842
Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credenti
|
| 33 |
CVE-2026-1839
A vulnerability in the HuggingFace Transformers library, specifically in the `Tr
|
| 33 |
CVE-2026-28880
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 33 |
CVE-2026-20657
The issue was addressed with improved memory handling. This issue is fixed in iO
|
| 33 |
CVE-2026-1014
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exp
|
| 33 |
CVE-2026-25344
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 33 |
CVE-2026-25339
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi C
|
| 33 |
CVE-2026-28844
A file access issue was addressed with improved input validation. This issue is
|
| 33 |
CVE-2026-30579
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user
|
| 33 |
CVE-2026-30578
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious use
|
| 33 |
CVE-2026-28857
The issue was addressed with improved memory handling. This issue is fixed in Sa
|
| 33 |
CVE-2026-23484
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and pri
|
| 33 |
CVE-2026-33283
## Summary
Ella Core panics when processing malformed UL NAS Transport NAS messa
|
| 33 |
CVE-2026-32588
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticate
|
| 33 |
CVE-2025-68971
In Forgejo through 13.0.3, the attachment component allows a denial of service b
|
| 33 |
CVE-2026-32533
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint Late
|
| 33 |
CVE-2026-32541
Missing Authorization vulnerability in Premmerce Premmerce Redirect Manager prem
|
| 33 |
CVE-2026-32514
Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allo
|
| 33 |
CVE-2026-32489
Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploit
|
| 33 |
CVE-2026-32483
Missing Authorization vulnerability in codepeople Contact Form Email contact-for
|
| 33 |
CVE-2026-27046
Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allow
|
| 33 |
CVE-2026-25469
Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill – W
|
| 33 |
CVE-2026-25462
Missing Authorization vulnerability in avalex avalex avalex allows Exploiting In
|
| 33 |
CVE-2026-25455
Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerc
|
| 33 |
CVE-2026-25454
Missing Authorization vulnerability in MVPThemes The League the-league allows Ex
|
| 33 |
CVE-2026-25437
Missing Authorization vulnerability in سید محمدامین هاشمی GZSEO gzseo allows Exp
|
| 33 |
CVE-2026-25430
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and C
|
| 33 |
CVE-2026-25398
Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor
|
| 33 |
CVE-2026-25390
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-appr
|
| 33 |
CVE-2026-25365
Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-tur
|
| 33 |
CVE-2026-25327
Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservati
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |