Total CVEs
5773
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
805
public exploits
Unpatched
1587
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 46 |
CVE-2026-27962
## Description
### Summary
A JWK Header Injection vulnerability in `authlib`'s
|
| 46 |
CVE-2026-27067
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile A
|
| 46 |
CVE-2026-33286
### Summary
An arbitrary method execution vulnerability has been found which af
|
| 46 |
CVE-2026-5203
A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the func
|
| 46 |
CVE-2025-60948
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A
|
| 46 |
CVE-2026-34952
### Summary
The PraisonAI Gateway server accepts WebSocket connections at `/ws`
|
| 46 |
CVE-2026-29145
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 46 |
CVE-2026-5417
A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affect
|
| 46 |
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 46 |
CVE-2026-4875
A vulnerability was determined in itsourcecode Free Hotel Reservation System 1.0
|
| 46 |
CVE-2026-5370
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the
|
| 46 |
CVE-2026-5627
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up
|
| 46 |
CVE-2026-4835
A security vulnerability has been detected in code-projects Accounting System 1.
|
| 46 |
CVE-2026-22732
When applications specify HTTP response headers for servlet applications using S
|
| 46 |
CVE-2026-5325
A vulnerability was determined in SourceCodester Simple Customer Relationship Ma
|
| 46 |
CVE-2026-4969
A vulnerability was identified in code-projects Social Networking Site 1.0. The
|
| 46 |
CVE-2026-4599
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to
|
| 46 |
CVE-2025-15031
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file
|
| 46 |
CVE-2026-34953
### Summary
`OAuthManager.validate_token()` returns `True` for any token not fo
|
| 46 |
CVE-2026-35560
Improper certificate validation in the identity provider connection components i
|
| 46 |
CVE-2026-5249
A vulnerability was found in gougucms 4.08.18. This impacts an unknown function
|
| 46 |
CVE-2026-5332
A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects
|
| 46 |
CVE-2026-4995
A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulne
|
| 46 |
CVE-2026-4596
A vulnerability was identified in projectworlds Lawyer Management System 1.0. Th
|
| 46 |
CVE-2026-4626
A vulnerability has been found in projectworlds Lawyer Management System 1.0. Th
|
| 46 |
CVE-2026-5253
A weakness has been identified in bufanyun HotGo 1.0/2.0. Affected by this vulne
|
| 46 |
CVE-2026-34758
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-32698
OpenProject is an open-source, web-based project management software. Versions p
|
| 46 |
CVE-2026-5838
A vulnerability was determined in PHPGurukul News Portal Project 4.1. This vulne
|
| 46 |
CVE-2026-5839
A vulnerability was identified in PHPGurukul News Portal Project 4.1. This issue
|
| 46 |
CVE-2026-5840
A security flaw has been discovered in PHPGurukul News Portal Project 4.1. Impac
|
| 46 |
CVE-2026-33297
### Summary
The `setPassword.json.php` endpoint in the CustomizeUser plugin all
|
| 46 |
CVE-2026-34560
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2025-15618
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses a
|
| 46 |
CVE-2026-35039
## Impact
Setting up a custom cacheKeyBuilder method which does not properly cr
|
| 46 |
CVE-2026-34872
An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Cry
|
| 46 |
CVE-2026-30701
The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02)
|
| 46 |
CVE-2026-28386
Issue summary: Applications using AES-CFB128 encryption or decryption on
systems
|
| 46 |
CVE-2025-58349
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, a
|
| 46 |
CVE-2026-30458
An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users'
|
| 46 |
CVE-2026-31017
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format fu
|
| 46 |
CVE-2025-69515
An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attack
|
| 46 |
CVE-2026-33202
### Impact
Active Storage's `DiskService#delete_prefixed` passes blob keys direc
|
| 46 |
CVE-2026-32524
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Phot
|
| 46 |
CVE-2026-34873
An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation ca
|
| 46 |
CVE-2026-27071
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploitin
|
| 46 |
CVE-2026-4715
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability aff
|
| 46 |
CVE-2026-4716
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine com
|
| 46 |
CVE-2026-34559
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2025-15484
The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides
|
| 46 |
CVE-2026-4994
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the fu
|
| 46 |
CVE-2025-57735
When user logged out, the JWT token the user had authtenticated with was not inv
|
| 46 |
CVE-2026-33867
### Summary
AVideo allows content owners to password-protect individual videos.
|
| 46 |
CVE-2026-35580
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Act
|
| 46 |
CVE-2026-33186
### Impact
_What kind of vulnerability is it? Who is impacted?_
It is an **Auth
|
| 46 |
CVE-2026-5576
A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affec
|
| 46 |
CVE-2026-5568
A vulnerability has been found in Akaunting up to 3.1.21. This issue affects som
|
| 46 |
CVE-2026-5252
A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unkn
|
| 46 |
CVE-2026-5254
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. A
|
| 46 |
CVE-2026-4177
YAML::Syck versions through 1.36 for Perl has several potential security vulnera
|
| 46 |
CVE-2026-4724
Undefined behavior in the Audio/Video component. This vulnerability affects Fire
|
| 46 |
CVE-2026-5810
A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected
|
| 46 |
CVE-2026-39980
OpenCTI is an open source platform for managing cyber threat intelligence knowle
|
| 46 |
CVE-2026-35174
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path tra
|
| 46 |
CVE-2026-5806
A security vulnerability has been detected in code-projects Easy Blog Site 1.0.
|
| 46 |
CVE-2026-34950
### Summary
The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The
|
| 46 |
CVE-2026-33771
A Weak Password Requirements vulnerability in the password management function o
|
| 46 |
CVE-2026-5683
A vulnerability was found in Tenda CX12L 16.03.53.12. Affected by this vulnerabi
|
| 46 |
CVE-2026-6162
A vulnerability has been found in PHPGurukul Company Visitor Management System 2
|
| 46 |
CVE-2026-40258
## Summary
A path traversal vulnerability (Zip Slip) exists in the media archiv
|
| 46 |
CVE-2026-5679
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B2022
|
| 46 |
CVE-2026-32892
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Ch
|
| 46 |
CVE-2026-6106
A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability
|
| 46 |
CVE-2025-15632
A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an u
|
| 46 |
CVE-2026-35050
text-generation-webui is an open-source web interface for running Large Language
|
| 45 |
CVE-2026-33066
# Stored XSS to RCE via Unsanitized Bazaar README Rendering
## Summary
SiYuan'
|
| 45 |
CVE-2026-33067
# Stored XSS to RCE via Unsanitized Bazaar Package Metadata
## Summary
SiYuan'
|
| 45 |
CVE-2026-32751
# Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
## S
|
| 45 |
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauth
|
| 45 |
CVE-2026-32748
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature rel
|
| 45 |
CVE-2025-32991
In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful AP
|
| 45 |
CVE-2026-39846
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious no
|
| 45 |
CVE-2026-33765
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 45 |
CVE-2026-34448
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an att
|
| 45 |
CVE-2026-3564
A condition in ScreenConnect may allow an actor with access to server-level cryp
|
| 45 |
CVE-2026-27540
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co P
|
| 45 |
CVE-2026-30924
### Summary
The application implements an HTML5 cross-origin resource sharing (C
|
| 45 |
CVE-2026-32703
OpenProject is an open-source, web-based project management software. In version
|
| 45 |
CVE-2026-0898
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pe
|
| 45 |
CVE-2026-28798
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 syst
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |