Total CVEs
6196
last 30 days
Avg Priority
35.0
of max 220
KEV
8
actively exploited
POC
742
public exploits
Unpatched
1227
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2025-59440
An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2025-57835
An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2026-34896
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction,
|
| 38 |
CVE-2026-4699
Incorrect boundary conditions in the Layout: Text and Fonts component. This vuln
|
| 38 |
CVE-2026-4686
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2025-67841
Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmi
|
| 38 |
CVE-2026-4685
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2025-54324
An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2026-4707
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2025-50646
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insuf
|
| 38 |
CVE-2025-52222
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G
|
| 38 |
CVE-2026-32284
The msgpack decoder fails to properly validate the input buffer length when proc
|
| 38 |
CVE-2026-32286
The DataRow.Decode function fails to properly validate field lengths. A maliciou
|
| 38 |
CVE-2026-28815
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an
|
| 38 |
CVE-2026-24382
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x a
|
| 38 |
CVE-2026-27073
Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se a
|
| 38 |
CVE-2026-32285
The Delete function fails to properly validate offsets when processing malformed
|
| 38 |
CVE-2026-25396
Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooComme
|
| 38 |
CVE-2026-3573
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) all
|
| 38 |
CVE-2026-32485
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 38 |
CVE-2026-23977
Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System
|
| 38 |
CVE-2026-24363
Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms
|
| 38 |
CVE-2025-50645
A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead
|
| 38 |
CVE-2026-5087
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl gene
|
| 38 |
CVE-2026-20701
An access issue was addressed with additional sandbox restrictions. This issue i
|
| 38 |
CVE-2026-20639
An integer overflow was addressed with improved input validation. This issue is
|
| 38 |
CVE-2026-23806
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPre
|
| 38 |
CVE-2026-32498
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-regist
|
| 38 |
CVE-2025-69358
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-cal
|
| 38 |
CVE-2026-25026
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiti
|
| 38 |
CVE-2025-45058
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the f
|
| 38 |
CVE-2025-45057
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the i
|
| 38 |
CVE-2026-25309
Missing Authorization vulnerability in PublishPress PublishPress Authors publish
|
| 38 |
CVE-2026-5438
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP reque
|
| 38 |
CVE-2026-5439
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc auto
|
| 38 |
CVE-2026-23482
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the fi
|
| 38 |
CVE-2026-25456
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual
|
| 38 |
CVE-2026-32515
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows
|
| 38 |
CVE-2026-25317
Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery N
|
| 38 |
CVE-2026-34020
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache O
|
| 38 |
CVE-2026-34876
An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vuln
|
| 38 |
CVE-2026-25401
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo
|
| 38 |
CVE-2026-32495
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms
|
| 38 |
CVE-2026-30778
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configurat
|
| 38 |
CVE-2025-45059
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the f
|
| 38 |
CVE-2026-40046
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ
|
| 38 |
CVE-2026-33241
## Summary
Salvo's form data parsing implementations (`form_data()` method and `
|
| 38 |
CVE-2026-33174
### Impact
When serving files through Active Storage's `Blobs::ProxyController`,
|
| 38 |
CVE-2026-33176
### Impact
Active Support number helpers accept strings containing scientific no
|
| 38 |
CVE-2026-3608
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-
|
| 38 |
CVE-2026-1092
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10
|
| 38 |
CVE-2026-4697
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-4714
Incorrect boundary conditions in the Audio/Video component. This vulnerability a
|
| 38 |
CVE-2026-28855
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 38 |
CVE-2026-4695
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-4713
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2026-4719
Incorrect boundary conditions in the Graphics: Text component. This vulnerabilit
|
| 38 |
CVE-2026-4708
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2026-4704
Denial-of-service in the WebRTC: Signaling component. This vulnerability affects
|
| 38 |
CVE-2026-4933
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions all
|
| 38 |
CVE-2026-4684
Race condition, use-after-free in the Graphics: WebRender component. This vulner
|
| 38 |
CVE-2026-5437
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM m
|
| 38 |
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a re
|
| 38 |
CVE-2026-35042
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter
|
| 38 |
CVE-2026-29072
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 38 |
CVE-2025-66769
A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attack
|
| 38 |
CVE-2026-28505
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. P
|
| 38 |
CVE-2025-69624
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerab
|
| 38 |
CVE-2026-31923
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
|
| 38 |
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C.
|
| 38 |
CVE-2026-27880
The OpenFeature feature toggle evaluation endpoint reads unbounded values into m
|
| 38 |
CVE-2026-5050
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulner
|
| 38 |
CVE-2026-34240
JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to vers
|
| 38 |
CVE-2026-4712
Information disclosure in the Widget: Cocoa component. This vulnerability affect
|
| 38 |
CVE-2026-31790
Issue summary: Applications using RSASVE key encapsulation to establish
a secret
|
| 38 |
CVE-2026-22566
An Improper Access Control vulnerability could allow a malicious actor with acce
|
| 38 |
CVE-2026-28388
Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
is
|
| 38 |
CVE-2026-30332
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena E
|
| 38 |
CVE-2026-22565
An Improper Input Validation vulnerability could allow a malicious actor with ac
|
| 38 |
CVE-2026-4247
When a challenge ACK is to be sent tcp_respond() constructs and sends the challe
|
| 38 |
CVE-2026-33266
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The r
|
| 38 |
CVE-2026-35467
The stored API keys in temporary browser client is not marked as protected allow
|
| 38 |
CVE-2026-34486
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the f
|
| 38 |
CVE-2025-50670
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50671
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-4694
Incorrect boundary conditions, integer overflow in the Graphics component. This
|
| 38 |
CVE-2025-50661
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50666
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50664
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50665
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2302d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2115d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |