Total CVEs
6186
last 30 days
Avg Priority
35.0
of max 220
KEV
8
actively exploited
POC
741
public exploits
Unpatched
1225
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 28 |
CVE-2026-40159
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Mode
|
| 28 |
CVE-2026-40311
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-3777
The application does not properly validate the lifetime and validity of internal
|
| 28 |
CVE-2026-27828
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-3776
The application does not validate the presence of required appearance (AP) data
|
| 28 |
CVE-2026-28892
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 28 |
CVE-2026-27815
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-28829
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 28 |
CVE-2026-27816
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-5745
A flaw was found in libarchive. A NULL pointer dereference vulnerability exists
|
| 28 |
CVE-2026-4897
A flaw was found in polkit. A local user can exploit this by providing a special
|
| 28 |
CVE-2025-65116
Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Window
|
| 28 |
CVE-2026-33855
Integer Overflow or Wraparound vulnerability in MolotovCherry Android-ImageMagic
|
| 28 |
CVE-2026-33853
NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.Thi
|
| 28 |
CVE-2026-34447
Open Neural Network Exchange (ONNX) is an open standard for machine learning int
|
| 28 |
CVE-2025-9497
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allo
|
| 28 |
CVE-2026-40310
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-40183
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-33165
libde265 is an open source implementation of the h.265 video codec. Prior to ver
|
| 28 |
CVE-2026-34933
Avahi is a system which facilitates service discovery on a local network via the
|
| 28 |
CVE-2026-33905
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-33902
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-32810
Halloy is an IRC application written in Rust. In versions on \*nix and macOS pri
|
| 28 |
CVE-2026-34730
### Summary
Copier's `_external_data` feature allows a template to load YAML fi
|
| 28 |
CVE-2026-29111
systemd, a system and service manager, (as PID 1) hits an assert and freezes exe
|
| 28 |
CVE-2026-39392
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 28 |
CVE-2026-32288
tar.Reader can allocate an unbounded amount of memory when reading a maliciously
|
| 28 |
CVE-2025-48651
N/A
|
| 28 |
CVE-2026-27930
Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose in
|
| 28 |
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to
return all che
|
| 28 |
CVE-2026-32214
Improper access control in Universal Plug and Play (upnp.dll) allows an authoriz
|
| 28 |
CVE-2026-6245
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_
|
| 28 |
CVE-2026-20806
Access of resource using incompatible type ('type confusion') in Windows COM all
|
| 28 |
CVE-2026-27931
Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose in
|
| 28 |
CVE-2026-40915
A flaw was found in GIMP. A remote attacker could exploit an integer overflow vu
|
| 28 |
CVE-2026-32084
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 28 |
CVE-2025-55264
HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Cha
|
| 28 |
CVE-2026-39984
### Authorization bypass via certificate bag manipulation in sigstore/timestamp-
|
| 28 |
CVE-2026-32212
Improper link resolution before file access ('link following') in Universal Plug
|
| 28 |
CVE-2026-39390
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 28 |
CVE-2026-33103
Improper access control in Microsoft Dynamics 365 (on-premises) allows an author
|
| 28 |
CVE-2026-32181
Improper privilege management in Microsoft Windows allows an authorized attacker
|
| 28 |
CVE-2026-35477
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, th
|
| 28 |
CVE-2026-40918
A flaw was found in GIMP. Processing a specially crafted PVR image file with lar
|
| 28 |
CVE-2026-20161
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an
|
| 28 |
CVE-2026-32216
Null pointer dereference in Windows Redirected Drive Buffering allows an authori
|
| 27 |
CVE-2026-5355
A vulnerability has been found in Trendnet TEW-657BRM 1.00.1. Affected by this i
|
| 27 |
CVE-2026-32629
### Summary
An unauthenticated attacker can submit a guest FAQ with an email add
|
| 27 |
CVE-2026-5831
A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impa
|
| 27 |
CVE-2026-6141
A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up t
|
| 27 |
CVE-2026-5547
A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected i
|
| 27 |
CVE-2026-3358
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-33119
User interface (ui) misrepresentation of critical information in Microsoft Edge
|
| 27 |
CVE-2026-4124
The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all ve
|
| 27 |
CVE-2026-33400
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 27 |
CVE-2026-32001
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerabil
|
| 27 |
CVE-2026-33299
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-33051
The revision/draft context menu in the element editor renders the creator’s `ful
|
| 27 |
CVE-2026-32753
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 27 |
CVE-2026-32507
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux a
|
| 27 |
CVE-2026-32511
Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allow
|
| 27 |
CVE-2026-22569
An incorrect startup configuration of affected versions of Zscaler Client Connec
|
| 27 |
CVE-2026-34442
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 27 |
CVE-2026-1509
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordP
|
| 27 |
CVE-2026-21788
HCL Connections is vulnerable to a cross-site scripting attack where an attacker
|
| 27 |
CVE-2026-33291
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-33312
Vikunja is an open-source self-hosted task management platform. Starting in vers
|
| 27 |
CVE-2026-2712
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of fun
|
| 27 |
CVE-2026-4438
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that sp
|
| 27 |
CVE-2026-35565
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache St
|
| 27 |
CVE-2026-34475
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain u
|
| 27 |
CVE-2026-33628
## Vulnerability Details
Invoice line item descriptions in Invoice Ninja v5.13.
|
| 27 |
CVE-2026-34903
Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Inc
|
| 27 |
CVE-2026-20108
A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN M
|
| 27 |
CVE-2026-35602
## Summary
The Vikunja file import endpoint uses the attacker-controlled `Size`
|
| 27 |
CVE-2026-32562
Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page
|
| 27 |
CVE-2026-4335
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cros
|
| 27 |
CVE-2026-34071
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 27 |
CVE-2026-29840
JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerab
|
| 27 |
CVE-2026-33406
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 27 |
CVE-2026-5895
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55
|
| 27 |
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions
|
| 27 |
CVE-2026-4065
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and
|
| 27 |
CVE-2026-35540
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C
|
| 27 |
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If
|
| 27 |
CVE-2026-29070
Open WebUI is a self-hosted artificial intelligence platform designed to operate
|
| 27 |
CVE-2026-35600
## Summary
Task titles are embedded directly into Markdown link syntax in overd
|
| 27 |
CVE-2026-33912
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-39367
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 27 |
CVE-2026-34623
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2302d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2115d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |