Total CVEs
6052
last 30 days
Avg Priority
35.0
of max 220
KEV
8
actively exploited
POC
755
public exploits
Unpatched
1187
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 36 |
CVE-2026-27496
## Impact
An authenticated user with permission to create or modify workflows co
|
| 36 |
CVE-2026-29100
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 36 |
CVE-2026-33714
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 c
|
| 36 |
CVE-2026-40037
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay v
|
| 36 |
CVE-2026-32894
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
|
| 36 |
CVE-2026-35183
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Refer
|
| 36 |
CVE-2026-35636
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass
|
| 36 |
CVE-2026-32954
ERP is a free and open source Enterprise Resource Planning tool. In versions pri
|
| 36 |
CVE-2026-34602
Chamilo LMS is an open-source learning management system. In versions prior to 2
|
| 36 |
CVE-2026-4947
Addressed a potential insecure direct object reference (IDOR) vulnerability in t
|
| 36 |
CVE-2026-39370
WWBN AVideo is an open source video platform. In versions 26.0 and prior, object
|
| 36 |
CVE-2026-40185
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authori
|
| 36 |
CVE-2026-22664
prompts.chat prior to commit 30a8f04 contains a server-side request forgery vuln
|
| 36 |
CVE-2026-32976
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowin
|
| 36 |
CVE-2026-35621
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where th
|
| 36 |
CVE-2026-34060
**Summary**
The `rubyLsp.branch` VS Code workspace setting was interpolated wit
|
| 36 |
CVE-2026-35631
OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating inte
|
| 36 |
CVE-2026-33217
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 36 |
CVE-2026-35644
OpenClaw before 2026.3.22 contains an information disclosure vulnerability that
|
| 36 |
CVE-2026-32930
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
|
| 36 |
CVE-2026-3445
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User
|
| 36 |
CVE-2026-33706
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated
|
| 36 |
CVE-2026-20687
A use after free issue was addressed with improved memory management. This issue
|
| 36 |
CVE-2026-5429
Unsanitized input during web page generation in the Kiro Agent webview in Kiro I
|
| 36 |
CVE-2026-34204
## Impact
_What kind of vulnerability is it? Who is impacted?_
A flaw in `extr
|
| 36 |
CVE-2026-35657
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the
|
| 36 |
CVE-2026-33797
An Improper Input Validation vulnerability in Juniper Networks Junos OS and Juno
|
| 36 |
CVE-2025-15606
A Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W
|
| 36 |
CVE-2026-33723
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 36 |
CVE-2026-5444
A heap buffer overflow vulnerability exists in the PAM image parsing logic. When
|
| 36 |
CVE-2026-23919
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts
|
| 36 |
CVE-2026-23269
In the Linux kernel, the following vulnerability has been resolved:
apparmor: v
|
| 36 |
CVE-2026-34119
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2026-34118
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2026-34120
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2026-32501
Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-co
|
| 36 |
CVE-2026-23555
Any guest issuing a Xenstore command accessing a node using the
(illegal) node p
|
| 36 |
CVE-2026-5441
An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of
|
| 36 |
CVE-2026-24369
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploi
|
| 36 |
CVE-2026-33780
A Missing Release of Memory after Effective Lifetime vulnerability in the Layer
|
| 36 |
CVE-2026-33781
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 36 |
CVE-2025-59969
A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnera
|
| 36 |
CVE-2026-34122
A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520W
|
| 36 |
CVE-2025-54502
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM
|
| 36 |
CVE-2026-33020
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. V
|
| 36 |
CVE-2026-5053
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. T
|
| 36 |
CVE-2026-3622
The vulnerability exists in the UPnP component of TL-WR841N v14, where improper
|
| 36 |
CVE-2026-35444
SDL_image is a library to load images of various formats as SDL surfaces. In do_
|
| 36 |
CVE-2025-68153
Juju is an open source application orchestration engine that enables any applica
|
| 36 |
CVE-2026-33982
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 36 |
CVE-2026-33987
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 36 |
CVE-2026-35176
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-
|
| 36 |
CVE-2026-33019
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. V
|
| 36 |
CVE-2024-32537
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Playe
|
| 36 |
CVE-2025-36258
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user
|
| 36 |
CVE-2026-39959
Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer
|
| 36 |
CVE-2026-33353
### Summary
An authorization flaw in `repo import` allows any authenticated SSH
|
| 36 |
CVE-2026-31846
An unauthenticated credential disclosure vulnerability in the /goform/ate endpoi
|
| 36 |
CVE-2026-34828
### Summary
A session management vulnerability allows previously issued authenti
|
| 36 |
CVE-2026-33421
### Impact
Parse Server's LiveQuery WebSocket interface does not enforce Class-
|
| 36 |
CVE-2026-33330
FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.1
|
| 36 |
CVE-2026-27144
The compiler is meant to unwrap pointers which are the operands of a memory move
|
| 36 |
CVE-2026-39671
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin fo
|
| 36 |
CVE-2026-33252
The Go SDK's Streamable HTTP transport accepted browser-generated cross-site `PO
|
| 36 |
CVE-2025-47400
Cryptographic issue while copying data to a destination buffer without validatin
|
| 36 |
CVE-2026-34992
### Impact
This is a missing encryption vulnerability (CWE-311) affecting inter-
|
| 36 |
CVE-2026-40518
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary
|
| 36 |
CVE-2026-32589
A flaw was found in Red Hat Quay's container image upload process. An authentica
|
| 36 |
CVE-2026-35170
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-
|
| 36 |
CVE-2026-35412
## Summary
Directus' TUS resumable upload endpoint (`/files/tus`) allows any au
|
| 36 |
CVE-2026-34476
Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking
|
| 36 |
CVE-2026-32590
A flaw was found in Red Hat Quay's handling of resumable container image layer u
|
| 36 |
CVE-2026-4315
A Cross-Site Request Forgery (CSRF) vulnerability in the WatchGuard Fireware OS
|
| 35 |
CVE-2026-39907
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose
|
| 35 |
CVE-2026-4400
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat
|
| 35 |
CVE-2026-39906
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose
|
| 35 |
CVE-2026-26152
Insecure storage of sensitive information in Windows Cryptographic Services allo
|
| 35 |
CVE-2026-5026
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with
|
| 35 |
CVE-2026-33409
### Impact
An authentication bypass vulnerability allows an attacker to log in
|
| 35 |
CVE-2026-26177
Use after free in Windows Ancillary Function Driver for WinSock allows an author
|
| 35 |
CVE-2026-26182
Use after free in Windows Ancillary Function Driver for WinSock allows an author
|
| 35 |
CVE-2026-26173
Concurrent execution using shared resource with improper synchronization ('race
|
| 35 |
CVE-2026-32979
OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing
|
| 35 |
CVE-2026-27922
Use after free in Windows Ancillary Function Driver for WinSock allows an author
|
| 35 |
CVE-2026-33100
Use after free in Windows Ancillary Function Driver for WinSock allows an author
|
| 35 |
CVE-2026-33099
Use after free in Windows Ancillary Function Driver for WinSock allows an author
|
| 35 |
CVE-2026-32080
Use after free in Windows WalletService allows an authorized attacker to elevate
|
| 35 |
CVE-2026-32224
Use after free in Windows Server Update Service allows an authorized attacker to
|
| 35 |
CVE-2026-4483
An exposed IOCTL with an insufficient access control vulnerability has been ide
|
| 35 |
CVE-2026-33104
Concurrent execution using shared resource with improper synchronization ('race
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1729d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1002d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 904d |