Total CVEs
6006
last 30 days
Avg Priority
34.9
of max 220
KEV
8
actively exploited
POC
752
public exploits
Unpatched
1185
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 41 |
CVE-2026-29187
OpenEMR is a free and open source electronic health records and medical practice
|
| 41 |
CVE-2026-25357
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaro
|
| 41 |
CVE-2026-23971
Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allo
|
| 41 |
CVE-2026-22510
Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodysch
|
| 41 |
CVE-2026-22505
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records
|
| 41 |
CVE-2026-5785
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Mana
|
| 41 |
CVE-2026-32488
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user
|
| 41 |
CVE-2026-25334
Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking Syst
|
| 41 |
CVE-2026-24373
Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic cust
|
| 41 |
CVE-2026-40784
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan
|
| 41 |
CVE-2026-28891
A race condition was addressed with additional validation. This issue is fixed i
|
| 41 |
CVE-2026-28817
A race condition was addressed with improved state handling. This issue is fixed
|
| 41 |
CVE-2026-39394
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 41 |
CVE-2026-34394
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 41 |
CVE-2026-39393
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 41 |
CVE-2026-33649
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 41 |
CVE-2026-40200
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory co
|
| 41 |
CVE-2026-40070
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2,
|
| 41 |
CVE-2026-3605
An authenticated user with access to a kvv2 path through a policy containing a g
|
| 41 |
CVE-2026-4434
Improper certificate validation in the PAM propagation WinRM connections
allows
|
| 41 |
CVE-2026-4478
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_201710241
|
| 41 |
CVE-2025-15381
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tr
|
| 41 |
CVE-2026-40764
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by W
|
| 41 |
CVE-2026-2370
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3
|
| 41 |
CVE-2026-4396
Improper certificate validation in Devolutions Hub Reporting Service
2025.3.1.1
|
| 41 |
CVE-2026-4718
Undefined behavior in the WebRTC: Signaling component. This vulnerability affect
|
| 41 |
CVE-2026-39371
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver
|
| 41 |
CVE-2026-40960
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environ
|
| 40 |
CVE-2025-55261
HCL Aftermarket DPC is affected by Missing Functional Level Access Control which
|
| 40 |
CVE-2026-35442
### Summary
Aggregate functions (`min`, `max`) applied to fields with the `conc
|
| 40 |
CVE-2026-5436
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in
|
| 40 |
CVE-2026-33466
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash
|
| 40 |
CVE-2026-34402
ChurchCRM is an open-source church management system. Prior to 7.1.0, authentica
|
| 40 |
CVE-2026-25773
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize categor
|
| 40 |
CVE-2026-40868
kyverno’s apiCall servicecall helper implicitly injects `Authorization: Bearer .
|
| 40 |
CVE-2026-33435
Weblate is a web based localization tool. In versions prior to 5.17, the project
|
| 40 |
CVE-2026-1961
A flaw was found in Foreman. A remote attacker could exploit a command injection
|
| 40 |
CVE-2026-20155
A vulnerability in the web-based management interface of Cisco Evolved Programma
|
| 40 |
CVE-2025-24818
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to
|
| 40 |
CVE-2025-24817
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to
|
| 40 |
CVE-2026-20432
In Modem, there is a possible out of bounds write due to a missing bounds check.
|
| 40 |
CVE-2026-30615
A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers t
|
| 40 |
CVE-2026-3108
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.
|
| 40 |
CVE-2026-35575
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored C
|
| 40 |
CVE-2026-4248
The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information
|
| 40 |
CVE-2026-6290
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plu
|
| 40 |
CVE-2026-32014
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability w
|
| 40 |
CVE-2026-35589
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site
|
| 40 |
CVE-2026-33183
### Impact
Users with MockResponse fixtures that use path traversal.
### Patche
|
| 40 |
CVE-2026-40149
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/ap
|
| 40 |
CVE-2026-34444
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier,
|
| 40 |
CVE-2026-33397
An Open Redirect vulnerability exists in `@angular/ssr` due to an incomplete fix
|
| 39 |
CVE-2026-0634
Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows
|
| 39 |
CVE-2025-33247
NVIDIA Megatron LM contains a vulnerability in quantization configuration loadin
|
| 39 |
CVE-2026-0596
A command injection vulnerability exists in mlflow/mlflow when serving a model w
|
| 39 |
CVE-2025-63261
AWStats 8.0 is vulnerable to Command Injection via the open function
|
| 39 |
CVE-2026-24159
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remot
|
| 39 |
CVE-2026-24157
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an at
|
| 39 |
CVE-2026-29144
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass
|
| 39 |
CVE-2026-29143
SEPPmail Secure Email Gateway before version 15.0.3 does not properly authentica
|
| 39 |
CVE-2026-33874
Gematik Authenticator securely authenticates users for login to digital health a
|
| 39 |
CVE-2026-35043
Commit ce53491 (March 24) fixed command injection via `system_packages` in Docke
|
| 39 |
CVE-2026-4150
GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This
|
| 39 |
CVE-2026-4154
GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This
|
| 39 |
CVE-2026-4151
GIMP ANI File Parsing Integer Overflow Remote Code Execution Vulnerability. This
|
| 39 |
CVE-2026-24152
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attac
|
| 39 |
CVE-2026-24151
NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may
|
| 39 |
CVE-2026-24150
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attac
|
| 39 |
CVE-2025-33248
NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script wher
|
| 39 |
CVE-2026-24141
NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONN
|
| 39 |
CVE-2026-34054
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3,
|
| 39 |
CVE-2026-4153
GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerabi
|
| 39 |
CVE-2026-4152
GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerabi
|
| 39 |
CVE-2026-4775
A flaw was found in the libtiff library. A remote attacker could exploit a signe
|
| 39 |
CVE-2026-24165
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserializati
|
| 39 |
CVE-2026-30309
InfCode's terminal auto-execution module contains a critical command filtering v
|
| 39 |
CVE-2026-5494
Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Cod
|
| 39 |
CVE-2026-5496
Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Exe
|
| 39 |
CVE-2026-5493
Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Cod
|
| 39 |
CVE-2026-5495
Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Cod
|
| 39 |
CVE-2026-33101
Use after free in Windows Print Spooler Components allows an authorized attacker
|
| 39 |
CVE-2026-33298
llama.cpp is an inference of several LLM models in C/C++. Prior to b7824, an int
|
| 39 |
CVE-2026-30232
Chartbrew is an open-source web application that can connect directly to databas
|
| 39 |
CVE-2026-29139
SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by a
|
| 39 |
CVE-2026-32857
Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) p
|
| 39 |
CVE-2026-27292
Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vu
|
| 39 |
CVE-2026-27283
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After F
|
| 39 |
CVE-2026-27309
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free
|
| 39 |
CVE-2026-23351
In the Linux kernel, the following vulnerability has been resolved:
netfilter:
|
| 39 |
CVE-2026-34937
### Summary
`run_python()` in `praisonai` constructs a shell command string by
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2232d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |