Total CVEs
5799
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
807
public exploits
Unpatched
1589
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 31 |
CVE-2026-1780
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-
|
| 31 |
CVE-2026-33403
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 31 |
CVE-2026-4069
The Alfie - Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site
|
| 31 |
CVE-2026-27740
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 31 |
CVE-2026-27570
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 31 |
CVE-2026-33140
### Summary
PySpector versions `<= 0.1.6` are affected by a stored Cross-Site Sc
|
| 31 |
CVE-2026-33209
## Description
A reflected cross-site scripting (XSS) vulnerability exists in t
|
| 31 |
CVE-2026-28499
### Summary
LeafKit HTML-escaping is not working correctly when a template print
|
| 31 |
CVE-2026-23924
Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_in
|
| 31 |
CVE-2026-33296
### Summary
WWBN/AVideo contains an open redirect vulnerability in the login fl
|
| 31 |
CVE-2026-34980
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 31 |
CVE-2026-33885
### Impact
The external URL detection used for redirect validation on unauthenti
|
| 31 |
CVE-2026-30661
iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Mana
|
| 31 |
CVE-2026-22181
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability i
|
| 31 |
CVE-2026-32844
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site
|
| 31 |
CVE-2026-35539
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exist
|
| 31 |
CVE-2026-33230
### Summary
`nltk.app.wordnet_app` contains a reflected cross-site scripting iss
|
| 31 |
CVE-2026-4305
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable t
|
| 31 |
CVE-2026-20104
A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 92
|
| 31 |
CVE-2026-33933
OpenEMR is a free and open source electronic health records and medical practice
|
| 31 |
CVE-2026-1877
The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request
|
| 31 |
CVE-2026-28297
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-
|
| 31 |
CVE-2026-34729
### Summary
The sanitization pipeline for FAQ content is:
1. `Filter::filterVar(
|
| 31 |
CVE-2026-39336
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored c
|
| 31 |
CVE-2026-39335
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is S
|
| 31 |
CVE-2026-3217
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-30162
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the
|
| 31 |
CVE-2026-34405
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6
|
| 31 |
CVE-2024-51226
A stored cross-site scripting (XSS) vulnerability in the component /admin/search
|
| 31 |
CVE-2026-34739
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Us
|
| 31 |
CVE-2026-33883
### Impact
The `user:reset_password_form` tag could render user-input directly
|
| 31 |
CVE-2026-34231
## Summary
A Cross-site Scripting (XSS) vulnerability exists in the `{% attrs %
|
| 31 |
CVE-2026-2349
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-3528
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-3529
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-34229
Emlog is an open source website building system. Prior to version 2.6.8, there i
|
| 31 |
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 31 |
CVE-2026-34206
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individu
|
| 31 |
CVE-2026-30082
Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature o
|
| 31 |
CVE-2026-4754
CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects An
|
| 31 |
CVE-2026-35466
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to disp
|
| 31 |
CVE-2025-57543
Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on obje
|
| 31 |
CVE-2026-29934
A reflected cross-site scripting (XSS) vulnerability in the /admin/menus compone
|
| 31 |
CVE-2025-61166
An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect
|
| 31 |
CVE-2026-34237
### Summary
**Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )**
- ht
|
| 31 |
CVE-2026-3512
The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-
|
| 31 |
CVE-2026-27545
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in
|
| 31 |
CVE-2025-70844
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject
|
| 31 |
CVE-2026-20115
A vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote,
|
| 31 |
CVE-2026-33368
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site s
|
| 31 |
CVE-2026-20085
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 31 |
CVE-2026-20041
A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights coul
|
| 31 |
CVE-2026-33170
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newl
|
| 31 |
CVE-2026-30252
Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php e
|
| 31 |
CVE-2026-30251
A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php end
|
| 31 |
CVE-2026-29933
A reflected cross-site scripting (XSS) vulnerability in the /index/login.html co
|
| 31 |
CVE-2026-33370
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cr
|
| 31 |
CVE-2025-63238
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15
|
| 31 |
CVE-2026-29828
DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/pr
|
| 31 |
CVE-2025-61190
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpa
|
| 31 |
CVE-2025-52204
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the cu
|
| 31 |
CVE-2026-2723
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forge
|
| 31 |
CVE-2026-34083
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 31 |
CVE-2026-4179
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead t
|
| 31 |
CVE-2026-31382
The error_description parameter is vulnerable to Reflected XSS. An attacker can
|
| 31 |
CVE-2025-66503
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-64776
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-66000
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-64733
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-61979
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-62500
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2026-20726
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-64735
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-58427
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-66042
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-66633
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-65119
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-62403
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2026-22882
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2026-4647
A flaw was found in the GNU Binutils BFD library, a widely used component for ha
|
| 31 |
CVE-2026-3441
A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability,
|
| 31 |
CVE-2026-31990
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxM
|
| 31 |
CVE-2026-3442
A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overfl
|
| 31 |
CVE-2026-35491
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics fo
|
| 31 |
CVE-2025-66617
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-47873
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2025-61952
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Aff
|
| 31 |
CVE-2026-26058
Zulip is an open-source team collaboration tool. From version 1.4.0 to before ve
|
| 31 |
CVE-2026-30882
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and pri
|
| 31 |
CVE-2026-27523
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerabi
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2299d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |