Security Dashboard

7d 14d 30d 90d
Total CVEs
5819
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
811
public exploits
Unpatched
1594
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Patch Now — Known Exploited Vulnerabilities

124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
CRITICAL
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
HIGH
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
CRITICAL
117
CVE-2026-33017
## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
CRITICAL
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
CRITICAL
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
HIGH

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
31 CVE-2026-4647
A flaw was found in the GNU Binutils BFD library, a widely used component for ha
31 CVE-2026-31990
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxM
31 CVE-2026-26058
Zulip is an open-source team collaboration tool. From version 1.4.0 to before ve
31 CVE-2026-30882
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and pri
31 CVE-2026-33499
## Summary The `view/forbiddenPage.php` and `view/warningPage.php` templates re
31 CVE-2026-27523
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerabi
31 CVE-2026-29969
A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoin
31 CVE-2026-3635
Summary When trustProxy is configured with a restrictive trust function (e.g., a
31 CVE-2026-34852
Stack overflow vulnerability in the media platform. Impact: Successful exploitat
31 CVE-2026-25854
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in
30 CVE-2026-35199
SymCrypt is the core cryptographic function library currently used by Windows. F
30 CVE-2026-35410
### Summary An open redirect vulnerability exists in the login redirection logi
30 CVE-2026-4887
A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP’s PCX fi
30 CVE-2026-32903
OpenClaw before 2026.3.2 contains a symlink traversal vulnerability in stageSand
30 CVE-2026-33343
### Impact _What kind of vulnerability is it? Who is impacted?_ An authenticate
30 CVE-2026-3644
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Mor
30 CVE-2026-35670
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that a
30 CVE-2026-33952
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
30 CVE-2026-32700
### Impact A race condition in Devise's Confirmable module allows an attacker t
30 CVE-2026-32017
OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability i
30 CVE-2026-34765
### Impact When a renderer calls `window.open()` with a target name, Electron di
30 CVE-2026-3446
When calling base64.b64decode() or related functions the decoding process would
30 CVE-2026-32022
OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerab
30 CVE-2026-35622
OpenClaw before 2026.3.22 contains an improper authentication verification vulne
30 CVE-2026-5446
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identic
30 CVE-2026-4619
Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attack
30 CVE-2026-28460
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability i
30 CVE-2026-1079
A native messaging host vulnerability in Pega Browser Extension (PBE) affects us
30 CVE-2026-34210
### Impact The `stripe/charge` payment method did not check Stripe's `Idempoten
30 CVE-2026-32033
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability wher
30 CVE-2026-5170
A user with access to the cluster with a limited set of privilege actions can tr
30 CVE-2026-26060
### Summary A vulnerability in Fleet’s password management logic could allow pr
30 CVE-2026-32037
OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chai
30 CVE-2026-35658
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in
30 CVE-2026-32023
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerabi
30 CVE-2026-34511
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter i
30 CVE-2026-4224
When an Expat parser with a registered ElementDeclHandler parses an inline docum
30 CVE-2026-39670
Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview v
30 CVE-2025-15554
Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allo
30 CVE-2025-15552
Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows
30 CVE-2025-15553
Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allow
30 CVE-2026-5525
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in
30 CVE-2026-5774
Improper synchronization of the userTokens map in the API server in Canonical Ju
30 CVE-2026-31997
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path
30 CVE-2026-3260
A flaw was found in Undertow. A remote attacker could exploit this vulnerability
30 CVE-2024-31119
Improper neutralization of input during web page generation ('cross-site scripti
30 CVE-2026-32770
### Impact A remote attacker can crash the Parse Server by subscribing to a Liv
30 CVE-2026-34760
vLLM is an inference and serving engine for large language models (LLMs). From v
30 CVE-2026-35407
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.
30 CVE-2026-21631
Lack of output escaping leads to a XSS vector in the multilingual associations c
30 CVE-2026-21632
Lack of output escaping for article titles leads to XSS vectors in various locat
30 CVE-2026-34052
## Summary The LTI 1.1 validator stores OAuth nonces in a class-level dictionar
30 CVE-2026-4923
Impact: When using multiple wildcards, combined with at least one parameter, a
30 CVE-2026-26073
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a dat
30 CVE-2026-33985
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
30 CVE-2026-34043
### Impact **What kind of vulnerability is it?** It is a **Denial of Service (
30 CVE-2026-34380
OpenEXR provides the specification and reference implementation of the EXR file
30 CVE-2026-22737
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spri
30 CVE-2026-34830
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
30 CVE-2026-29106
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
30 CVE-2026-28044
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
30 CVE-2025-67805
A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated acces
30 CVE-2026-35597
## Summary The TOTP failed-attempt lockout mechanism is non-functional due to a
30 CVE-2026-28298
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-
30 CVE-2026-39615
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
30 CVE-2026-39541
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
30 CVE-2026-33129
### Summary A Timing Side-Channel vulnerability exists in the `requireBasicAuth`
30 CVE-2026-34767
### Impact Apps that register custom protocol handlers via `protocol.handle()` /
30 CVE-2026-32035
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when pro
30 CVE-2026-5376
An issue that could prevent session inactivity timeouts from triggering due to a
30 CVE-2026-33319
## Summary The `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plu
30 CVE-2026-28886
A null pointer dereference was addressed with improved input validation. This is
30 CVE-2026-33909
OpenEMR is a free and open source electronic health records and medical practice
30 CVE-2026-32039
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerabili
30 CVE-2026-5119
A flaw was found in libsoup. When establishing HTTPS tunnels through a configure
30 CVE-2026-27853
An attacker might be able to trigger an out-of-bounds write by sending crafted D
30 CVE-2026-32883
Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0
30 CVE-2025-64647
IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorith
30 CVE-2025-13916
IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic a
30 CVE-2026-39408
## Summary A path traversal issue in `toSSG()` allows files to be written outsi
30 CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed
30 CVE-2026-34227
Sliver is a command and control framework that uses a custom Wireguard netstack.
30 CVE-2026-32884
Botan is a C++ cryptography library. Prior to version 3.11.0, during processing
30 CVE-2026-22174
OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header in
30 CVE-2026-5295
A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7
30 CVE-2026-34610
The leancrypto library is a cryptographic library that exclusively contains only
30 CVE-2026-32632
## Summary Glances recently added DNS rebinding protection for the MCP endpoint
30 CVE-2026-33349
## Summary The `DocTypeReader` in fast-xml-parser uses JavaScript truthy checks
30 CVE-2026-3579
wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software imple
30 CVE-2026-21001
Path traversal in Galaxy Store prior to version 4.6.03.8 allows local attacker t

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 731d
CVE-2019-19781 CRITICAL 9.8 223 2299d
CVE-2020-5902 CRITICAL 9.8 223 2112d
CVE-2021-35464 CRITICAL 9.8 223 1725d
CVE-2020-10189 CRITICAL 9.8 223 2228d
CVE-2012-4681 CRITICAL 9.8 223 4976d
CVE-2022-42475 CRITICAL 9.8 223 1197d
CVE-2023-3519 CRITICAL 9.8 223 998d
CVE-2015-7450 CRITICAL 9.8 222 3753d
CVE-2023-34048 CRITICAL 9.8 222 900d
Prev 16 / 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy