Total CVEs
6194
last 30 days
Avg Priority
35.0
of max 220
KEV
8
actively exploited
POC
749
public exploits
Unpatched
1226
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-32243
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-30878
baserCMS is a website development framework. Prior to version 5.2.3, a public ma
|
| 27 |
CVE-2026-40100
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/
|
| 27 |
CVE-2026-4649
Apache Artemis before version 2.52.0 is affected by an authentication bypass fla
|
| 27 |
CVE-2026-32305
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below,
|
| 27 |
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 27 |
CVE-2026-34574
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-3475
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated
|
| 27 |
CVE-2026-24299
Improper neutralization of special elements used in a command ('command injectio
|
| 27 |
CVE-2026-33761
## Summary
Three `list.json.php` endpoints in the Scheduler plugin lack any aut
|
| 27 |
CVE-2026-33763
## Summary
The `get_api_video_password_is_correct` API endpoint allows any unau
|
| 27 |
CVE-2026-3645
The Punnel - Landing Page Builder plugin for WordPress is vulnerable to Missing
|
| 27 |
CVE-2025-13822
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some end
|
| 27 |
CVE-2026-0394
When dovecot has been configured to use per-domain passwd files, and they are pl
|
| 27 |
CVE-2026-33457
Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26
|
| 27 |
CVE-2026-1782
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation
|
| 27 |
CVE-2026-33300
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33759
## Summary
The `objects/playlistsVideos.json.php` endpoint returns the full vid
|
| 27 |
CVE-2026-33065
**Impact**
This is an Improper Error Handling vulnerability with Information
|
| 27 |
CVE-2026-26945
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.1
|
| 27 |
CVE-2026-31805
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-32143
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33455
Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an
|
| 27 |
CVE-2026-32620
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33705
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template fil
|
| 27 |
CVE-2026-35620
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the
|
| 27 |
CVE-2026-5762
Allocation of resources without limits or throttling vulnerability in Wikimedia
|
| 27 |
CVE-2026-33766
## Summary
`isSSRFSafeURL()` validates URLs against private/reserved IP ranges
|
| 27 |
CVE-2026-23488
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /a
|
| 27 |
CVE-2026-3550
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all
|
| 27 |
CVE-2026-4985
A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability af
|
| 27 |
CVE-2026-33192
**Impact**
This is an Improper Error Handling vulnerability with Information E
|
| 27 |
CVE-2026-23486
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publ
|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-4751
NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmat
|
| 27 |
CVE-2026-34979
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 27 |
CVE-2026-32867
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to
|
| 27 |
CVE-2026-35468
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 27 |
CVE-2026-3460
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direc
|
| 27 |
CVE-2026-4733
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixra
|
| 27 |
CVE-2026-33899
When `Magick` parses an XML file it is possible that a single zero byte is writt
|
| 27 |
CVE-2026-34069
### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` messag
|
| 27 |
CVE-2026-27859
A mail message containing excessive amount of RFC 2231 MIME parameters causes LM
|
| 27 |
CVE-2026-34826
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-33481
### Impact
Syft versions before v1.42.3 would not properly cleanup temporary sto
|
| 27 |
CVE-2026-35583
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the config
|
| 27 |
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-32615
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90,
|
| 27 |
CVE-2026-3210
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful B
|
| 27 |
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in
|
| 27 |
CVE-2026-39940
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-33185
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-35023
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct obj
|
| 27 |
CVE-2026-33537
Lychee is a free, open-source photo-management tool. The patch introduced for GH
|
| 27 |
CVE-2026-35578
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 27 |
CVE-2026-39346
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-2263
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 27 |
CVE-2026-34837
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-4812
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing A
|
| 27 |
CVE-2026-32990
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fi
|
| 27 |
CVE-2026-26895
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote
|
| 27 |
CVE-2026-39857
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-40087
LangChain's f-string prompt-template validation was incomplete in two respects.
|
| 27 |
CVE-2026-39922
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-25043
Budibase is an open-source low-code platform. Prior to version 3.23.25, a busine
|
| 27 |
CVE-2026-5808
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae31
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-4654
The Awesome Support - WordPress HelpDesk & Support Plugin plugin for WordPress i
|
| 27 |
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-1314
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plug
|
| 27 |
CVE-2025-14944
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization
|
| 27 |
CVE-2026-35544
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-5538
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by th
|
| 27 |
CVE-2026-35452
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone oper
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35450
## Summary
The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg re
|
| 27 |
CVE-2026-35629
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability i
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
| 27 |
CVE-2026-35542
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-4325
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 27 |
CVE-2026-40151
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deploymen
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2115d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |