Total CVEs
5767
last 30 days
Avg Priority
34.1
of max 220
KEV
6
actively exploited
POC
804
public exploits
Unpatched
1586
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 46 |
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal
|
| 46 |
CVE-2026-40177
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run pr
|
| 46 |
CVE-2026-6159
A vulnerability has been found in code-projects Simple ChatBox up to 1.0. Affect
|
| 46 |
CVE-2026-5660
A vulnerability was determined in itsourcecode Construction Management System 1.
|
| 46 |
CVE-2026-4810
A Code Injection and Missing Authentication vulnerability in Google Agent Develo
|
| 46 |
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces
|
| 46 |
CVE-2026-40111
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks
|
| 46 |
CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-st
|
| 46 |
CVE-2026-35178
Workbench is a suite of tools for administrators and developers to interact with
|
| 46 |
CVE-2026-40154
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remo
|
| 46 |
CVE-2026-31845
A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in
|
| 46 |
CVE-2026-6150
A vulnerability has been found in code-projects Simple Laundry System 1.0. This
|
| 46 |
CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 46 |
CVE-2026-33784
A Use of Default Password vulnerability in the Juniper Networks
Support Insigh
|
| 46 |
CVE-2026-5803
A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27
|
| 46 |
CVE-2026-5681
A flaw has been found in itsourcecode sanitize or validate this input 1.0. This
|
| 46 |
CVE-2026-5194
Missing hash/digest size and OID checks allow digests smaller than allowed when
|
| 46 |
CVE-2026-5811
A vulnerability was identified in SourceCodester Online Food Ordering System 1.0
|
| 46 |
CVE-2026-5671
A vulnerability was determined in Cyber-III Student-Management-System up to 1a93
|
| 46 |
CVE-2026-4415
Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulner
|
| 46 |
CVE-2026-30880
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 46 |
CVE-2026-34202
---
# Remote Denial of Service via Crafted V5 Transactions
## Summary
A vulner
|
| 46 |
CVE-2026-35053
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-34759
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-28766
A specific endpoint exposes all user account information for registered Gardyn u
|
| 46 |
CVE-2026-32916
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vuln
|
| 46 |
CVE-2026-35615
### Executive Summary:
The path validation has a critical logic bug: it checks f
|
| 46 |
CVE-2026-32865
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verificat
|
| 46 |
CVE-2026-39322
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and ea
|
| 46 |
CVE-2026-34714
Vim before 9.2.0272 allows code execution that happens immediately upon opening
|
| 46 |
CVE-2026-33322
### Impact
_What kind of vulnerability is it? Who is impacted?_
A JWT algorithm
|
| 46 |
CVE-2026-32918
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the
|
| 46 |
CVE-2025-15620
HiOS Switch Platform contains a denial-of-service vulnerability in the web inter
|
| 46 |
CVE-2026-35556
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that
|
| 46 |
CVE-2026-28205
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Def
|
| 46 |
CVE-2026-5339
A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the
|
| 46 |
CVE-2026-35573
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path tra
|
| 46 |
CVE-2026-5041
A vulnerability was identified in code-projects Chamber of Commerce Membership M
|
| 46 |
CVE-2026-0545
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not
|
| 46 |
CVE-2026-29103
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 46 |
CVE-2026-32238
OpenEMR is a free and open source electronic health records and medical practice
|
| 46 |
CVE-2026-21861
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS co
|
| 46 |
CVE-2026-30877
baserCMS is a website development framework. Prior to version 5.2.3, there is an
|
| 46 |
CVE-2026-4283
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized acc
|
| 46 |
CVE-2026-34177
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLo
|
| 46 |
CVE-2026-39339
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critica
|
| 46 |
CVE-2026-34745
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3
|
| 46 |
CVE-2026-34179
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in
|
| 46 |
CVE-2026-25770
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 46 |
CVE-2026-33024
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side
|
| 46 |
CVE-2026-5331
A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part
|
| 46 |
CVE-2026-27876
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to
|
| 46 |
CVE-2026-32852
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vuln
|
| 46 |
CVE-2026-32850
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vuln
|
| 46 |
CVE-2026-32851
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vuln
|
| 46 |
CVE-2026-33615
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 46 |
CVE-2026-33351
### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in `plugi
|
| 46 |
CVE-2026-34456
Reviactyl is an open-source game server management panel built using Laravel, Re
|
| 46 |
CVE-2025-69808
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unaut
|
| 46 |
CVE-2026-35561
Insufficient authentication security controls in the browser-based authenticatio
|
| 46 |
CVE-2026-33152
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 46 |
CVE-2026-23489
Fields is a GLPI plugin that allows users to add custom fields on GLPI items for
|
| 46 |
CVE-2026-32211
Missing authentication for critical function in Azure MCP Server allows an unaut
|
| 46 |
CVE-2025-71058
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses withou
|
| 46 |
CVE-2026-32817
Admidio is an open-source user management solution. In versions 5.0.0 through 5.
|
| 46 |
CVE-2026-39847
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0
|
| 46 |
CVE-2026-5848
A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected elem
|
| 46 |
CVE-2026-33419
### Impact
_What kind of vulnerability is it? Who is impacted?_
MinIO AIStor's
|
| 46 |
CVE-2026-34566
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34564
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-32633
## Summary
In Central Browser mode, the `/api/4/serverslist` endpoint returns r
|
| 46 |
CVE-2026-34558
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34563
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34565
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34567
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34568
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34557
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-26026
GLPI is a free asset and IT management software package. From 11.0.0 to before 1
|
| 46 |
CVE-2026-34178
In Canonical LXD before 6.8, the backup import path validates project restrictio
|
| 46 |
CVE-2026-33340
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Mult
|
| 46 |
CVE-2026-34532
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 46 |
CVE-2026-32573
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio
|
| 46 |
CVE-2026-25447
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonat
|
| 46 |
CVE-2026-4753
Out-of-bounds Read vulnerability in slajerek RetroDebugger.This issue affects Re
|
| 46 |
CVE-2026-4750
Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof
|
| 46 |
CVE-2026-25534
### Impact
Spinnaker updated URL Validation logic on user input to provide sanit
|
| 46 |
CVE-2026-32298
The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by
|
| 46 |
CVE-2026-33640
Outline is a service that allows for collaborative documentation. Outline implem
|
| 46 |
CVE-2026-34751
### Impact
A vulnerability in the password recovery flow could allow an unauthe
|
| 46 |
CVE-2026-27962
## Description
### Summary
A JWK Header Injection vulnerability in `authlib`'s
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |