Total CVEs
5775
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
807
public exploits
Unpatched
1588
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 32 |
CVE-2026-2988
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2026-0552
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2025-13368
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-0738
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-2509
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-S
|
| 32 |
CVE-2025-57175
Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a
|
| 32 |
CVE-2026-5711
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-40225
In udev in systemd before 260, local root execution can occur via malicious hard
|
| 32 |
CVE-2026-3005
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-32911
OpenClaw versions 2026.2.22 prior to 2026.2.24 contain an authorization bypass v
|
| 32 |
CVE-2026-32900
OpenClaw before 2026.2.22 contains an authorization bypass vulnerability in allo
|
| 32 |
CVE-2026-5451
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2025-58713
A container privilege escalation flaw was found in certain Red Hat Process Autom
|
| 32 |
CVE-2026-33320
### Summary
`dasel`'s YAML reader allows an attacker who can supply YAML for pr
|
| 32 |
CVE-2025-57853
A container privilege escalation flaw was found in certain Web Terminal images.
|
| 32 |
CVE-2026-40226
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can oc
|
| 32 |
CVE-2025-57854
A container privilege escalation flaw was found in certain OpenShift Update Serv
|
| 32 |
CVE-2025-57851
A container privilege escalation flaw was found in certain Multicluster Engine f
|
| 32 |
CVE-2025-57847
A container privilege escalation flaw was found in certain Ansible Automation Pl
|
| 32 |
CVE-2026-4195
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L,
|
| 32 |
CVE-2026-4196
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, D
|
| 32 |
CVE-2026-4197
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-32
|
| 32 |
CVE-2026-32854
LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null po
|
| 32 |
CVE-2026-34525
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 32 |
CVE-2026-33751
n8n is an open source workflow automation platform. Prior to versions 1.123.27,
|
| 32 |
CVE-2026-25118
immich is a high performance self-hosted photo and video management solution. Pr
|
| 32 |
CVE-2026-31999
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current worki
|
| 32 |
CVE-2026-39859
`liquidjs` 10.25.0 documents `root` as constraining filenames passed to `renderF
|
| 32 |
CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 32 |
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the
|
| 32 |
CVE-2026-28810
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP ker
|
| 32 |
CVE-2026-28809
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attac
|
| 32 |
CVE-2026-39841
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-5123
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the funct
|
| 32 |
CVE-2026-39837
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-29138
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a spec
|
| 32 |
CVE-2026-34508
OpenClaw before 2026.3.12 applies rate limiting only after webhook authenticatio
|
| 32 |
CVE-2026-33994
## Summary
A prototype pollution vulnerability exists in the `parse_str` functi
|
| 32 |
CVE-2026-33429
### Impact
An attacker can subscribe to LiveQuery with a `watch` parameter targ
|
| 32 |
CVE-2026-5246
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the f
|
| 32 |
CVE-2026-5360
A vulnerability has been found in Free5GC 4.2.0. The affected element is an unkn
|
| 32 |
CVE-2026-5022
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any a
|
| 32 |
CVE-2026-4621
Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a
|
| 32 |
CVE-2026-39839
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-34451
Claude SDK for TypeScript provides access to the Claude API from server-side Typ
|
| 32 |
CVE-2026-33347
### Impact
The `DomainFilteringAdapter` in the Embed extension is vulnerable to
|
| 32 |
CVE-2026-27481
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2025-15612
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnera
|
| 32 |
CVE-2026-5460
A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC
|
| 32 |
CVE-2026-33458
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to informa
|
| 32 |
CVE-2026-33074
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2026-29132
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with acce
|
| 32 |
CVE-2026-21629
The ajax component was excluded from the default logged-in-user check in the adm
|
| 32 |
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a
|
| 32 |
CVE-2026-32619
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2026-33749
n8n is an open source workflow automation platform. Prior to versions 1.123.27,
|
| 32 |
CVE-2026-5273
Use after free in CSS in Google Chrome prior to 146.0.7680.178 allowed a remote
|
| 32 |
CVE-2026-22170
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contai
|
| 32 |
CVE-2026-34371
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat
|
| 32 |
CVE-2026-28449
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Tal
|
| 32 |
CVE-2026-39321
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 32 |
CVE-2025-14810
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate
|
| 32 |
CVE-2026-27091
Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting In
|
| 32 |
CVE-2026-34245
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 32 |
CVE-2025-66483
IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a passw
|
| 32 |
CVE-2026-5122
A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the
|
| 32 |
CVE-2026-5124
A security vulnerability has been detected in osrg GoBGP up to 4.3.0. Affected i
|
| 32 |
CVE-2026-2394
Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allo
|
| 32 |
CVE-2026-4548
A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affecte
|
| 32 |
CVE-2026-34386
Fleet is open source device management software. Prior to 4.81.0, a SQL injectio
|
| 32 |
CVE-2026-29142
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge
|
| 32 |
CVE-2026-4472
A security vulnerability has been detected in itsourcecode Online Frozen Foods O
|
| 32 |
CVE-2026-4241
A vulnerability was identified in itsourcecode College Management System 1.0. Th
|
| 32 |
CVE-2026-4614
A vulnerability was determined in itsourcecode sanitize or validate this input 1
|
| 32 |
CVE-2026-32028
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom auth
|
| 32 |
CVE-2026-32021
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerabili
|
| 32 |
CVE-2026-5622
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected
|
| 32 |
CVE-2026-4476
A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200
|
| 32 |
CVE-2026-4980
A local file disclosure vulnerability in the XInclude processing component of In
|
| 32 |
CVE-2025-43210
An out-of-bounds access issue was addressed with improved bounds checking. This
|
| 32 |
CVE-2026-32010
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability i
|
| 32 |
CVE-2026-25460
Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exp
|
| 32 |
CVE-2026-28753
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_modul
|
| 32 |
CVE-2026-32029
OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-
|
| 32 |
CVE-2026-32695
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and
|
| 32 |
CVE-2026-35515
### Impact
_What kind of vulnerability is it? Who is impacted?_
[`SseStream._tr
|
| 32 |
CVE-2026-33265
In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat AP
|
| 32 |
CVE-2026-34218
ClearanceKit intercepts file-system access events on macOS and enforces per-proc
|
| 32 |
CVE-2025-25277
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code e
|
| 32 |
CVE-2026-34397
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune.
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |