Total CVEs
6193
last 30 days
Avg Priority
34.9
of max 220
KEV
8
actively exploited
POC
741
public exploits
Unpatched
1225
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 29 |
CVE-2026-25704
A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race C
|
| 29 |
CVE-2026-33144
GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-bas
|
| 29 |
CVE-2026-33729
### Description
In OpenFGA, under specific conditions, models using conditions w
|
| 29 |
CVE-2026-32977
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in th
|
| 29 |
CVE-2026-32988
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs
|
| 29 |
CVE-2026-27646
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in th
|
| 29 |
CVE-2026-33574
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills d
|
| 29 |
CVE-2026-20709
Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Pr
|
| 29 |
CVE-2026-34981
The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1
|
| 29 |
CVE-2026-32047
OpenClaw before 2026.2.22 contains an allowlist bypass vulnerability in system.r
|
| 29 |
CVE-2026-28483
OpenClaw before 2026.3.2 contains a race condition vulnerability in ZIP extracti
|
| 29 |
CVE-2026-28455
OpenClaw before 2026.2.22 contains an allowlist bypass vulnerability in system.r
|
| 29 |
CVE-2026-32912
OpenClaw versions 2026.2.26 before 2026.3.1 contain a current working directory
|
| 29 |
CVE-2026-34387
Fleet is open source device management software. Prior to 4.81.1, a command inje
|
| 29 |
CVE-2026-22902
A command injection vulnerability has been reported to affect QuNetSwitch. If a
|
| 29 |
CVE-2026-30867
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior
|
| 29 |
CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
|
| 29 |
CVE-2026-33542
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 29 |
CVE-2026-33739
FOG is a free open-source cloning/imaging/rescue suite/inventory management syst
|
| 29 |
CVE-2026-33473
### Summary
Any user that has enabled 2FA can have their TOTP reused during the
|
| 29 |
CVE-2026-27656
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.
|
| 29 |
CVE-2026-39901
### Summary
A transaction integrity flaw allows an authenticated tenant user to
|
| 29 |
CVE-2025-24819
Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due t
|
| 29 |
CVE-2026-1516
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 b
|
| 29 |
CVE-2025-14974
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to
|
| 29 |
CVE-2026-26931
Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_w
|
| 29 |
CVE-2026-32816
Admidio is an open-source user management solution. In versions 5.0.0 through 5.
|
| 29 |
CVE-2026-21712
A flaw in Node.js URL processing causes an assertion failure in native code when
|
| 29 |
CVE-2026-32009
OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in th
|
| 29 |
CVE-2026-22617
Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, w
|
| 29 |
CVE-2026-34855
Out-of-bounds write vulnerability in the kernel module.
Impact: Successful explo
|
| 29 |
CVE-2026-34854
UAF vulnerability in the kernel module.
Impact: Successful exploitation of this
|
| 29 |
CVE-2026-26933
Improper Validation of Array Index (CWE-129) in multiple protocol parser compone
|
| 28 |
CVE-2026-21742
A cleartext transmission of sensitive information vulnerability in Fortinet Fort
|
| 28 |
CVE-2025-15621
Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise
|
| 28 |
CVE-2025-55267
HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allow
|
| 28 |
CVE-2026-4913
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4
|
| 28 |
CVE-2026-23670
Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enc
|
| 28 |
CVE-2024-13785
The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for Wor
|
| 28 |
CVE-2026-20945
Improper neutralization of input during web page generation ('cross-site scripti
|
| 28 |
CVE-2026-33412
Vim is an open source, command line text editor. Prior to version 9.2.0202, a co
|
| 28 |
CVE-2026-40190
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform.
|
| 28 |
CVE-2026-2414
Authorization bypass through User-Controlled key vulnerability in HYPR Server al
|
| 28 |
CVE-2026-5271
pymanager included the current working directory in sys.path meaning modules cou
|
| 28 |
CVE-2025-62845
An improper neutralization of escape, meta, or control sequences vulnerability h
|
| 28 |
CVE-2026-5673
A flaw was found in libtheora. This heap-based out-of-bounds read vulnerability
|
| 28 |
CVE-2026-34943
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 28 |
CVE-2025-7024
Incorrect Default Permissions vulnerability in AIRBUS PSS TETRA Connectivity Ser
|
| 28 |
CVE-2026-34867
Double free vulnerability in the multi-mode input system.
Impact: Successful exp
|
| 28 |
CVE-2026-40602
### Impact
Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unre
|
| 28 |
CVE-2026-0967
A flaw was found in libssh. A remote attacker, by controlling client configurati
|
| 28 |
CVE-2026-5311
A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-3
|
| 28 |
CVE-2026-0636
Improper neutralization of special elements used in an LDAP query ('LDAP injecti
|
| 28 |
CVE-2026-5986
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted
|
| 28 |
CVE-2026-5527
A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. A
|
| 28 |
CVE-2026-29043
HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can
|
| 28 |
CVE-2026-28503
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 28 |
CVE-2026-23636
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior
|
| 28 |
CVE-2026-5601
A vulnerability was found in Acrel Electrical Prepaid Cloud Platform 1.0. This i
|
| 28 |
CVE-2026-3347
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored
|
| 28 |
CVE-2026-28852
A stack overflow was addressed with improved input validation. This issue is fix
|
| 28 |
CVE-2026-27131
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft
|
| 28 |
CVE-2026-33237
## Summary
The Scheduler plugin's `run()` function in `plugin/Scheduler/Schedul
|
| 28 |
CVE-2026-2645
In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state m
|
| 28 |
CVE-2026-20694
This issue was addressed with improved handling of symlinks. This issue is fixed
|
| 28 |
CVE-2026-20668
A logging issue was addressed with improved data redaction. This issue is fixed
|
| 28 |
CVE-2026-28868
A logging issue was addressed with improved data redaction. This issue is fixed
|
| 28 |
CVE-2025-66484
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site script
|
| 28 |
CVE-2026-27258
DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write v
|
| 28 |
CVE-2026-27301
Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer
|
| 28 |
CVE-2026-27300
Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninit
|
| 28 |
CVE-2026-32024
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability i
|
| 28 |
CVE-2026-27286
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based
|
| 28 |
CVE-2026-4948
A flaw was found in firewalld. A local unprivileged user can exploit this vulner
|
| 28 |
CVE-2026-28881
A privacy issue was addressed by moving sensitive data. This issue is fixed in m
|
| 28 |
CVE-2026-39856
osslsigncode is a tool that implements Authenticode signing and timestamping. Pr
|
| 28 |
CVE-2026-28845
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-28890
An out-of-bounds read was addressed with improved bounds checking. This issue is
|
| 28 |
CVE-2026-27222
Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vuln
|
| 28 |
CVE-2026-20670
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-27285
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based
|
| 28 |
CVE-2026-28870
An information leakage was addressed with additional validation. This issue is f
|
| 28 |
CVE-2026-39855
osslsigncode is a tool that implements Authenticode signing and timestamping. Pr
|
| 28 |
CVE-2026-28877
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-28831
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-28825
An out-of-bounds write issue was addressed with improved bounds checking. This i
|
| 28 |
CVE-2026-39464
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, U
|
| 28 |
CVE-2026-27315
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sen
|
| 28 |
CVE-2026-20633
This issue was addressed with improved handling of symlinks. This issue is fixed
|
| 28 |
CVE-2026-40159
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Mode
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2302d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2115d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |