Total CVEs
6136
last 30 days
Avg Priority
35.1
of max 220
KEV
8
actively exploited
POC
754
public exploits
Unpatched
1232
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 26 |
CVE-2026-21904
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 26 |
CVE-2026-32868
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the conten
|
| 26 |
CVE-2026-40118
UDP Console provided by Arcserve contains an incorrectly specified destination i
|
| 26 |
CVE-2026-6107
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some u
|
| 26 |
CVE-2026-32866
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the conten
|
| 26 |
CVE-2026-32869
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the conten
|
| 26 |
CVE-2026-27787
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If th
|
| 26 |
CVE-2026-4973
A vulnerability was detected in SourceCodester Online Quiz System hasta 1.0. Aff
|
| 26 |
CVE-2026-5469
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects un
|
| 26 |
CVE-2026-6216
A security vulnerability has been detected in DbGate up to 7.1.4. This affects a
|
| 26 |
CVE-2026-32859
ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site
|
| 26 |
CVE-2026-40028
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerabil
|
| 26 |
CVE-2026-34817
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34809
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34810
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34811
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34820
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34818
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34815
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34823
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34798
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34799
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34800
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34802
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34803
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34806
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34804
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34807
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-35054
XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related
|
| 26 |
CVE-2026-34808
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows at
|
| 26 |
CVE-2026-34812
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34813
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34814
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-35055
XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XS
|
| 26 |
CVE-2026-34816
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-27508
Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-sit
|
| 26 |
CVE-2026-26352
Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site s
|
| 26 |
CVE-2026-35057
XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scrip
|
| 26 |
CVE-2026-34801
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34805
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-26927
Szafir SDK Web is a browser plug-in that can run SzafirHost application which do
|
| 26 |
CVE-2026-4957
A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the funct
|
| 26 |
CVE-2026-34018
An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allo
|
| 26 |
CVE-2026-5148
A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnera
|
| 26 |
CVE-2026-5468
A security flaw has been discovered in Casdoor 2.356.0. This affects the functio
|
| 26 |
CVE-2026-4991
A vulnerability was detected in QDOCS Smart School Management System up to 7.2.
|
| 26 |
CVE-2026-35634
OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the
|
| 26 |
CVE-2026-4346
The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrat
|
| 26 |
CVE-2026-5475
A vulnerability was determined in NASA cFS up to 7.0.0. This impacts the functio
|
| 26 |
CVE-2025-40841
Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains a
Cross-Site Req
|
| 26 |
CVE-2026-33559
WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scriptin
|
| 26 |
CVE-2026-28888
A race condition was addressed with improved state handling. This issue is fixed
|
| 26 |
CVE-2026-28834
A race condition was addressed with improved state handling. This issue is fixed
|
| 26 |
CVE-2026-34822
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-21008
Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 all
|
| 26 |
CVE-2026-35613
coursevault-preview is a utility for previewing course material files from a con
|
| 26 |
CVE-2026-33536
Due to an incorrect return value on certain platforms a pointer is incremented p
|
| 26 |
CVE-2025-66442
In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in R
|
| 26 |
CVE-2026-1940
An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavpars
|
| 26 |
CVE-2026-40447
Integer overflow or wraparound vulnerability in Samsung Open Source Escargot all
|
| 26 |
CVE-2026-21014
Improper access control in Samsung Camera prior to version 16.5.00.28 allows loc
|
| 26 |
CVE-2025-14858
The Semtech LR11xx LoRa transceivers running early versions of firmware contains
|
| 26 |
CVE-2026-34238
An integer overflow in the despeckle operation causes a heap buffer overflow on
|
| 26 |
CVE-2026-34757
LIBPNG is a reference library for use in applications that read, create, and man
|
| 26 |
CVE-2026-33433
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3
|
| 26 |
CVE-2025-36438
IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unautho
|
| 26 |
CVE-2025-36440
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive inf
|
| 26 |
CVE-2025-36579
Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerabil
|
| 26 |
CVE-2026-34819
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-35659
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT m
|
| 26 |
CVE-2026-34866
Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitat
|
| 25 |
CVE-2026-4925
Improper access control in the users MFA feature in Devolutions Server allows an
|
| 25 |
CVE-2026-40256
Weblate is a web based localization tool. In versions prior to 5.17, repository-
|
| 25 |
CVE-2026-5175
Improper access control in the multi-factor authentication (MFA) management API
|
| 25 |
CVE-2026-0964
A malicious SCP server can send unexpected paths that could make the
client appl
|
| 25 |
CVE-2025-13995
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 could allow an attacker wi
|
| 25 |
CVE-2026-29044
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, when W
|
| 25 |
CVE-2026-4979
The UsersWP - Front-end login form, User Registration, User Profile & Members Di
|
| 25 |
CVE-2026-2756
A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308.
|
| 25 |
CVE-2026-3216
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows
|
| 25 |
CVE-2026-39418
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 25 |
CVE-2026-34881
OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side
|
| 25 |
CVE-2026-33126
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 25 |
CVE-2026-29107
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 25 |
CVE-2026-34244
Weblate is a web based localization tool. In versions prior to 5.17, a user with
|
| 25 |
CVE-2026-5704
A flaw was found in tar. A remote attacker could exploit this vulnerability by c
|
| 25 |
CVE-2026-34526
### Details
Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.
|
| 25 |
CVE-2026-33440
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED
|
| 25 |
CVE-2026-33294
## Summary
The BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.ph
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |