Total CVEs
6191
last 30 days
Avg Priority
35.0
of max 220
KEV
8
actively exploited
POC
746
public exploits
Unpatched
1228
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 42 |
CVE-2026-33747
### Impact
When using a custom BuildKit frontend, the frontend can craft an API
|
| 42 |
CVE-2025-69627
Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability
|
| 42 |
CVE-2026-23853
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 42 |
CVE-2026-32221
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorize
|
| 42 |
CVE-2026-4857
IdentityIQ 8.5, all
IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4,
|
| 42 |
CVE-2026-30811
Missing Authorization vulnerability allows Exposure of Sensitive Information via
|
| 42 |
CVE-2026-32162
Acceptance of extraneous untrusted data with trusted data in Windows COM allows
|
| 42 |
CVE-2026-32091
Concurrent execution using shared resource with improper synchronization ('race
|
| 42 |
CVE-2026-4266
An Insecure Deserialization vulnerability in WatchGuard Fireware OS allows an at
|
| 42 |
CVE-2025-14213
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerabi
|
| 42 |
CVE-2026-32725
SciTokens C++ is a minimal library for creating and using SciTokens from C or C+
|
| 42 |
CVE-2026-5264
Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can s
|
| 42 |
CVE-2026-22897
A command injection vulnerability has been reported to affect QuNetSwitch. The r
|
| 42 |
CVE-2026-6328
Improper input validation, Improper verification of cryptographic signature vuln
|
| 42 |
CVE-2026-30461
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote
|
| 42 |
CVE-2026-0562
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows
|
| 42 |
CVE-2026-3549
Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extens
|
| 42 |
CVE-2026-34524
## Summary
A Path Traversal vulnerability in chat endpoints allows an authentica
|
| 42 |
CVE-2026-33980
### Summary
adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Quer
|
| 42 |
CVE-2026-39884
## Summary
The `port_forward` tool in `mcp-server-kubernetes` constructs a kube
|
| 42 |
CVE-2026-34221
A prototype pollution vulnerability exists in the `Utils.merge` helper used inte
|
| 42 |
CVE-2026-34072
Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, l
|
| 42 |
CVE-2026-31939
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path t
|
| 42 |
CVE-2026-33407
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 42 |
CVE-2026-34780
### Impact
Apps that pass `VideoFrame` objects (from the WebCodecs API) across t
|
| 42 |
CVE-2026-35394
### Summary
The `mobile_open_url` tool in mobile-mcp passes user-supplied URLs
|
| 42 |
CVE-2025-15617
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workfl
|
| 42 |
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST
|
| 42 |
CVE-2026-31998
OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulner
|
| 42 |
CVE-2026-1313
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Reque
|
| 42 |
CVE-2026-24148
NVIDIA Jetson for JetPack contains a vulnerability in the system initialization
|
| 42 |
CVE-2026-34719
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 42 |
CVE-2026-4557
A vulnerability was detected in code-projects Exam Form Submission 1.0. This imp
|
| 42 |
CVE-2026-4510
A weakness has been identified in PbootCMS up to 3.2.12. This impacts the functi
|
| 42 |
CVE-2026-35595
## Summary
A user with Write-level access to a project can escalate their permi
|
| 42 |
CVE-2026-35618
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 s
|
| 42 |
CVE-2026-32899
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy ch
|
| 42 |
CVE-2026-33534
EspoCRM is an open source customer relationship management application. Versions
|
| 42 |
CVE-2025-71258
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind serve
|
| 42 |
CVE-2026-33779
An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web o
|
| 42 |
CVE-2026-33210
### Impact
A format string injection vulnerability than that lead to denial of
|
| 42 |
CVE-2026-33981
### Summary
The `jq:` and `jqraw:` include filter expressions allow use of the
|
| 42 |
CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git d
|
| 42 |
CVE-2025-14595
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 bef
|
| 42 |
CVE-2026-2726
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10
|
| 42 |
CVE-2026-32902
OpenClaw before 2026.3.1 contains a server-side request forgery vulnerability in
|
| 42 |
CVE-2025-55262
HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploi
|
| 42 |
CVE-2026-35478
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1
|
| 42 |
CVE-2026-6314
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a re
|
| 42 |
CVE-2026-6309
Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote
|
| 42 |
CVE-2026-6304
Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a re
|
| 42 |
CVE-2026-6310
Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote
|
| 42 |
CVE-2026-6311
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.77
|
| 42 |
CVE-2026-28808
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unaut
|
| 42 |
CVE-2026-6297
Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an atta
|
| 42 |
CVE-2026-6442
Improper validation of bash commands in Snowflake Cortex Code CLI versions prior
|
| 42 |
CVE-2026-40899
DataEase is an open-source data visualization and analytics platform. Versions 2
|
| 41 |
CVE-2026-34578
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNs
|
| 41 |
CVE-2026-34363
### Impact
When multiple clients subscribe to the same class via LiveQuery, the
|
| 41 |
CVE-2026-40163
Saltcorn is an extensible, open source, no-code database application builder. Pr
|
| 41 |
CVE-2026-34215
### Impact
The verify password endpoint returns unsanitized authentication data
|
| 41 |
CVE-2026-35091
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wr
|
| 41 |
CVE-2026-33942
Saloon is a PHP library that gives users tools to build API integrations and SDK
|
| 41 |
CVE-2026-39363
### Summary
[`server.fs`](https://vite.dev/config/server-options#server-fs-stri
|
| 41 |
CVE-2026-39429
### Summary
The cache server is directly exposed by the root shard and has no a
|
| 41 |
CVE-2026-34045
Podman Desktop is a graphical tool for developing on containers and Kubernetes.
|
| 41 |
CVE-2026-35525
### Summary
LiquidJS enforces partial and layout root restrictions using the re
|
| 41 |
CVE-2026-35604
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 41 |
CVE-2026-5208
Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authen
|
| 41 |
CVE-2026-34042
act's built-in actions/cache server listens to connections on all interfaces and
|
| 41 |
CVE-2026-34219
## Description
### Summary
The Rust libp2p Gossipsub implementation contains a r
|
| 41 |
CVE-2026-27124
## Summary
While testing the *GitHubProvider* OAuth integration, which allows au
|
| 41 |
CVE-2026-33946
### Summary
The Ruby SDK's [streamable_http_transport.rb](https://github.com/mo
|
| 41 |
CVE-2026-29872
A cross-session information disclosure vulnerability exists in the awesome-llm-a
|
| 41 |
CVE-2026-34573
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 41 |
CVE-2026-32877
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0
|
| 41 |
CVE-2026-33508
### Impact
Parse Server's LiveQuery component does not enforce the `requestComp
|
| 41 |
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 41 |
CVE-2026-5477
An integer overflow existed in the wolfCrypt CMAC implementation, that could be
|
| 41 |
CVE-2026-4828
Improper authentication in the OAuth login functionality in Devolutions Server 2
|
| 41 |
CVE-2026-4924
Improper
authentication in the two-factor authentication (2FA) feature in
Devo
|
| 41 |
CVE-2026-34593
## Summary
`Ash.Type.Module.cast_input/2` unconditionally creates a new Erlang
|
| 41 |
CVE-2026-22733
Spring Boot applications with Actuator can be vulnerable to an "Authentication B
|
| 41 |
CVE-2026-22731
Spring Boot applications with Actuator can be vulnerable to an "Authentication B
|
| 41 |
CVE-2026-32030
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in t
|
| 41 |
CVE-2026-32316
jq is a command-line JSON processor. An integer overflow vulnerability exists th
|
| 41 |
CVE-2026-40073
SvelteKit is a framework for rapidly developing robust, performant web applicati
|
| 41 |
CVE-2026-32829
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In vers
|
| 41 |
CVE-2026-40168
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/s
|
| 41 |
CVE-2026-2072
Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2302d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2115d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |