Total CVEs
6151
last 30 days
Avg Priority
35.1
of max 220
KEV
8
actively exploited
POC
754
public exploits
Unpatched
1225
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-28828
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 27 |
CVE-2026-33527
### Impact
An authenticated user can overwrite server-generated session fields
|
| 27 |
CVE-2026-0718
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin
|
| 27 |
CVE-2026-34776
### Impact
On macOS and Linux, apps that call `app.requestSingleInstanceLock()`
|
| 27 |
CVE-2026-31924
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
|
| 27 |
CVE-2026-5713
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabi
|
| 27 |
CVE-2026-3581
The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authoriza
|
| 27 |
CVE-2026-24030
An attacker might be able to trick DNSdist into allocating too much memory while
|
| 27 |
CVE-2026-24028
An attacker might be able to trigger an out-of-bounds read by sending a crafted
|
| 27 |
CVE-2026-5427
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in version
|
| 27 |
CVE-2026-5606
A security flaw has been discovered in PHPGurukul Online Shopping Portal Project
|
| 27 |
CVE-2026-5705
A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affect
|
| 27 |
CVE-2026-27670
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZI
|
| 27 |
CVE-2026-5502
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-31381
An attacker can extract user email addresses (PII) exposed in base64 encoding vi
|
| 27 |
CVE-2026-5586
A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted
|
| 27 |
CVE-2026-5579
A vulnerability was determined in CodeAstro Online Classroom 1.0. This issue aff
|
| 27 |
CVE-2026-28755
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_modu
|
| 27 |
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequ
|
| 27 |
CVE-2026-34364
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-5052
Vault’s PKI engine’s ACME validation did not reject local targets when issuing h
|
| 27 |
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the G
|
| 27 |
CVE-2026-3177
The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Dona
|
| 27 |
CVE-2025-46598
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
|
| 27 |
CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket
|
| 27 |
CVE-2026-5572
A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03
|
| 26 |
CVE-2026-5670
A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61
|
| 26 |
CVE-2025-15565
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of
|
| 26 |
CVE-2026-39406
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 26 |
CVE-2026-35052
### Impact
Users hosting D-Tale publicly while using a redis or shelf storage la
|
| 26 |
CVE-2026-35166
### Impact
Links and image links in the default markdown to HTML renderer are no
|
| 26 |
CVE-2026-39851
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.
|
| 26 |
CVE-2026-35413
## Summary
When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly
|
| 26 |
CVE-2026-35179
## Summary
The SocialMediaPublisher plugin exposes a `publishInstagram.json.php
|
| 26 |
CVE-2026-5675
A vulnerability was found in itsourcecode Construction Management System 1.0. Th
|
| 26 |
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 26 |
CVE-2026-4160
The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Fo
|
| 26 |
CVE-2026-33311
## Summary
SVG attribute values derived from user-supplied options (`background
|
| 26 |
CVE-2026-40347
### Summary
A denial of service vulnerability exists when parsing crafted `mult
|
| 26 |
CVE-2025-14243
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an
|
| 26 |
CVE-2026-39407
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 26 |
CVE-2026-40304
Summary
The unaccess handler (controller/unaccess.go) contains a logical error i
|
| 26 |
CVE-2026-5338
A security vulnerability has been detected in Tenda G103 1.0.0.5. The affected e
|
| 26 |
CVE-2026-21003
Improper input validation in data related to network restrictions prior to SMR A
|
| 26 |
CVE-2026-39958
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible
|
| 26 |
CVE-2026-33015
EVerest is an EV charging software stack. Prior to version 2026.02.0, even immed
|
| 26 |
CVE-2026-33014
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, during
|
| 26 |
CVE-2026-4743
NULL Pointer Dereference vulnerability in taurusxin ncmdump (src/utils modules
|
| 26 |
CVE-2026-4135
During an internal security assessment, a potential vulnerability was discovered
|
| 26 |
CVE-2026-24153
NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted appl
|
| 26 |
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an or
|
| 26 |
CVE-2026-3438
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Reposito
|
| 26 |
CVE-2026-4420
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating f
|
| 26 |
CVE-2026-39425
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-33892
A vulnerability has been identified in Industrial Edge Management Pro V1 (All ve
|
| 26 |
CVE-2026-24907
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-24906
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-22675
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scr
|
| 26 |
CVE-2026-33865
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsi
|
| 26 |
CVE-2025-41356
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104.
|
| 26 |
CVE-2025-41027
Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerab
|
| 26 |
CVE-2025-41026
Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerab
|
| 26 |
CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with
|
| 26 |
CVE-2026-34821
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34161
Chamilo LMS is an open-source learning management system. In versions prior to 2
|
| 26 |
CVE-2025-41355
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server
v0.104.
|
| 26 |
CVE-2026-5010
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clic
|
| 26 |
CVE-2026-39840
Improper neutralization of input during web page generation ('cross-site scripti
|
| 26 |
CVE-2025-41357
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104.
|
| 26 |
CVE-2026-39426
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-40096
immich is a high performance self-hosted photo and video management solution. Ve
|
| 26 |
CVE-2026-5987
A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d
|
| 26 |
CVE-2026-1564
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vu
|
| 26 |
CVE-2026-35472
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-33709
JupyterHub is software that allows one to create a multi-user server for Jupyter
|
| 26 |
CVE-2026-35398
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35396
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35475
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect
|
| 26 |
CVE-2026-35474
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirec
|
| 26 |
CVE-2026-35473
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-33456
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.
|
| 26 |
CVE-2026-32113
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 26 |
CVE-2026-35496
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allo
|
| 26 |
CVE-2026-33273
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2
|
| 26 |
CVE-2026-32844
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site
|
| 26 |
CVE-2026-33415
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 26 |
CVE-2026-39347
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 26 |
CVE-2026-5160
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are
|
| 26 |
CVE-2026-21904
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 26 |
CVE-2026-32868
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the conten
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |