Total CVEs
6202
last 30 days
Avg Priority
31.3
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
938
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
118
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
Priority Distribution
| Priority | CVE |
|---|---|
| 48 |
CVE-2026-8128
A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affecte
|
| 48 |
CVE-2026-8734
A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this is
|
| 48 |
CVE-2026-7670
A flaw has been found in Jinher OA 1.0. The affected element is an unknown funct
|
| 48 |
CVE-2026-8752
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability aff
|
| 48 |
CVE-2026-7694
A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Effi
|
| 48 |
CVE-2026-9364
A flaw has been found in projectworlds Online Art Gallery Shop 1.0. Impacted is
|
| 48 |
CVE-2026-8739
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected eleme
|
| 48 |
CVE-2026-7695
A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operati
|
| 48 |
CVE-2026-9580
A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is
|
| 48 |
CVE-2026-7400
A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1
|
| 48 |
CVE-2026-7403
A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the f
|
| 48 |
CVE-2026-7384
A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b36
|
| 48 |
CVE-2026-7398
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e5
|
| 48 |
CVE-2026-9603
A security vulnerability has been detected in SourceCodester eDoc Doctor Appoint
|
| 48 |
CVE-2026-7404
A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0.
|
| 48 |
CVE-2026-7396
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by t
|
| 48 |
CVE-2026-7386
A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an u
|
| 48 |
CVE-2026-9606
A vulnerability has been found in itsourcecode Courier Management System 1.0. Im
|
| 48 |
CVE-2026-8083
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System
|
| 48 |
CVE-2026-9584
A security vulnerability has been detected in code-projects Project Management S
|
| 48 |
CVE-2026-7589
A vulnerability was determined in ghantakiran splunk-mcp-integration up to 0b86b
|
| 47 |
CVE-2026-1631
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plu
|
| 47 |
CVE-2026-32175
A tampering vulnerability exists when .NET Core improperly handles specially cra
|
| 47 |
CVE-2026-6402
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-or
|
| 47 |
CVE-2026-43638
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerabili
|
| 47 |
CVE-2026-5335
The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV file
|
| 46 |
CVE-2026-43644
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability i
|
| 45 |
CVE-2026-33570
PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenti
|
| 43 |
CVE-2026-42080
PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to
|
| 42 |
CVE-2025-70116
A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 fi
|
| 42 |
CVE-2026-9807
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9
|
| 42 |
CVE-2026-41160
EspoCRM is an open source customer relationship management application. Prior to
|
| 38 |
CVE-2026-26461
A Command Injection vulnerability in the web management interface in Aver PTC320
|
| 38 |
CVE-2026-40374
Exposure of sensitive information to an unauthorized actor in Power Automate all
|
| 38 |
CVE-2026-42830
Untrusted search path in Azure Monitor Agent allows an authorized attacker to el
|
| 37 |
CVE-2026-41610
Improper neutralization of input during web page generation ('cross-site scripti
|
| 36 |
CVE-2026-8605
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could al
|
| 36 |
CVE-2026-35504
PowerSYSTEM Center email notification service is affected by a CRLF injection vu
|
| 35 |
CVE-2026-24000
### Impact
Fleet trusted client-supplied IP address headers when determining th
|
| 35 |
CVE-2026-42138
Dify is an open-source LLM app development platform. Prior to version 1.13.1, us
|
| 35 |
CVE-2026-7864
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment v
|
| 35 |
CVE-2026-41161
Sync-in Server is a secure, open-source platform for file storage, sharing, coll
|
| 35 |
CVE-2026-41928
Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cro
|
| 35 |
CVE-2026-45248
Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in
|
| 35 |
CVE-2026-41890
### Summary
The `deleteProcess()` action accepts a POST parameter `tables[]` con
|
| 35 |
CVE-2026-8216
A vulnerability was identified in Industrial Application Software IAS Canias ERP
|
| 35 |
CVE-2026-32686
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthe
|
| 35 |
CVE-2026-44368
### Impact
The `mul_mod` function implements multiplication via a binary expansi
|
| 35 |
CVE-2026-46356
### Summary
A vulnerability in Fleet's IP extraction logic allows unauthenticate
|
| 35 |
CVE-2026-41493
YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vul
|
| 35 |
CVE-2026-7735
A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function Pa
|
| 35 |
CVE-2026-42600
### Impact
_What kind of vulnerability is it? Who is impacted?_
A path travers
|
| 35 |
CVE-2026-7734
A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the funct
|
| 35 |
CVE-2026-39383
# CVE Report - Unauthenticated SSRF via Unfiltered Webhook URL in Gotenberg
##
|
| 35 |
CVE-2026-46721
The create and edit flows do not restrict which user properties may be submitted
|
| 35 |
CVE-2026-44679
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forg
|
| 35 |
CVE-2026-44437
### Description
A vulnerability exists in the `X-Forwarded-Prefix` header proces
|
| 35 |
CVE-2026-0393
The affected product may expose credentials remotely between low privileged visu
|
| 35 |
CVE-2026-8186
A vulnerability was detected in Open5GS up to 2.7.7. This affects the function o
|
| 35 |
CVE-2026-7737
A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue
|
| 35 |
CVE-2026-42888
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, t
|
| 35 |
CVE-2026-7598
A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted
|
| 35 |
CVE-2026-7736
A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulne
|
| 35 |
CVE-2026-42534
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the
|
| 35 |
CVE-2026-6826
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclo
|
| 35 |
CVE-2026-8295
An integer overflow vulnerability in the simdjson document-builder API allows in
|
| 35 |
CVE-2026-42871
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0,
|
| 35 |
CVE-2026-41509
CROSS implementation contains reference and optimized implementations of the CRO
|
| 35 |
CVE-2026-42923
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the
|
| 35 |
CVE-2026-8187
A flaw has been found in Open5GS up to 2.7.7. This impacts the function _gtpv1_u
|
| 35 |
CVE-2026-44390
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when h
|
| 35 |
CVE-2026-8209
Gibbon versions before v30.0.01 are affected by a path traversal vulnerability r
|
| 35 |
CVE-2026-6805
Vulnerability on the external sharing feature in Cryptobox allows an attacker kn
|
| 35 |
CVE-2026-41682
pupnp is an SDK for development of UPnP device and control point applications. P
|
| 35 |
CVE-2026-7820
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4
|
| 35 |
CVE-2026-42841
### Summary
An authenticated user with page editing permissions can inject an e
|
| 35 |
CVE-2026-40826
A high privileged remote attacker can exploit an unauthenticated SQL Injection v
|
| 35 |
CVE-2026-40822
A high privileged remote attacker can exploit an unauthenticated SQL Injection v
|
| 35 |
CVE-2026-40821
A high privileged remote attacker can exploit an unauthenticated SQL Injection v
|
| 35 |
CVE-2026-43620
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read v
|
| 35 |
CVE-2026-7727
A vulnerability was determined in Shandong Hoteam Software PDM Product Data Mana
|
| 35 |
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability i
|
| 35 |
CVE-2026-37503
Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme
|
| 35 |
CVE-2026-8243
A vulnerability was determined in Industrial Application Software IAS Canias ERP
|
| 35 |
CVE-2026-41181
## Summary
There is a medium severity information disclosure vulnerability in T
|
| 35 |
CVE-2026-20717
Improper input validation for some Intel(R) QAT software drivers for Windows bef
|
| 35 |
CVE-2026-20905
Improper input validation for some Intel(R) QAT software drivers for Windows bef
|
| 35 |
CVE-2026-42788
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel ba
|
| 35 |
CVE-2025-48521
Improper input validation in the AMD Secure Processor (ASP) PCI driver could all
|
| 35 |
CVE-2026-20771
Null pointer dereference for some Intel(R) QAT software drivers for Windows befo
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |