Total CVEs
6144
last 30 days
Avg Priority
35.1
of max 220
KEV
8
actively exploited
POC
753
public exploits
Unpatched
1231
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 25 |
CVE-2026-34881
OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side
|
| 25 |
CVE-2026-34526
### Details
Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.
|
| 25 |
CVE-2026-33294
## Summary
The BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.ph
|
| 25 |
CVE-2026-35516
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkR
|
| 25 |
CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explo
|
| 25 |
CVE-2026-33440
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED
|
| 25 |
CVE-2026-5704
A flaw was found in tar. A remote attacker could exploit this vulnerability by c
|
| 25 |
CVE-2026-34244
Weblate is a web based localization tool. In versions prior to 5.17, a user with
|
| 25 |
CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.
|
| 25 |
CVE-2026-40917
A flaw was found in GIMP. This vulnerability, a heap buffer over-read in the `ic
|
| 25 |
CVE-2026-34990
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 25 |
CVE-2026-34165
### Impact
A vulnerability has been identified in which a maliciously crafted `
|
| 25 |
CVE-2026-2646
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION
|
| 25 |
CVE-2026-41034
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in X
|
| 25 |
CVE-2026-3113
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.
|
| 25 |
CVE-2026-40916
A flaw was found in GIMP. A stack buffer overflow vulnerability in the TIM image
|
| 25 |
CVE-2026-40002
Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged ap
|
| 25 |
CVE-2026-39411
# Summary
The `webapi` authentication layer trusts a client-controlled `X-lobe-
|
| 25 |
CVE-2026-39881
Vim is an open source, command line text editor. Prior to 9.2.0316, a command in
|
| 25 |
CVE-2026-34972
OpenFGA is a high-performance and flexible authorization/permission engine built
|
| 25 |
CVE-2026-39811
A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 throug
|
| 25 |
CVE-2026-3474
The EmailKit - Email Customizer for WooCommerce & WP plugin for WordPress is vul
|
| 25 |
CVE-2026-20148
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, rem
|
| 25 |
CVE-2026-33531
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6,
|
| 25 |
CVE-2026-29131
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a spec
|
| 25 |
CVE-2026-29101
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 25 |
CVE-2026-29098
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 25 |
CVE-2026-20174
A vulnerability in the Metadata update feature of Cisco Nexus Dashboard Insights
|
| 25 |
CVE-2026-29180
Fleet is open source device management software. Prior to 4.81.1, a broken acces
|
| 25 |
CVE-2026-30889
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 25 |
CVE-2026-34389
Fleet is open source device management software. Prior to 4.81.0, Fleet containe
|
| 25 |
CVE-2026-3116
Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to valid
|
| 25 |
CVE-2026-33162
### Summary
An authenticated control panel user with only accessCp can move ent
|
| 25 |
CVE-2026-34608
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to v
|
| 25 |
CVE-2026-27673
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise)
|
| 25 |
CVE-2026-2389
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to S
|
| 25 |
CVE-2026-29092
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerabili
|
| 25 |
CVE-2026-34164
### Summary
The `InboxHandlingService` logs the full content of every incoming
|
| 25 |
CVE-2026-4819
In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature m
|
| 25 |
CVE-2026-32879
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 25 |
CVE-2026-33222
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 25 |
CVE-2026-4853
The JetBackup - Backup, Restore & Migrate plugin for WordPress is vulnerable to
|
| 25 |
CVE-2026-28823
A path handling issue was addressed with improved validation. This issue is fixe
|
| 25 |
CVE-2026-20693
This issue was addressed through improved state management. This issue is fixed
|
| 25 |
CVE-2026-39631
Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolp
|
| 25 |
CVE-2026-39521
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content
|
| 25 |
CVE-2026-34061
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 25 |
CVE-2026-31799
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 25 |
CVE-2026-3330
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via
|
| 25 |
CVE-2026-33158
### Summary
A low-privileged authenticated user can read private asset content
|
| 25 |
CVE-2026-22692
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-25125
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-30873
OpenWrt Project is a Linux operating system targeting embedded devices. In versi
|
| 25 |
CVE-2026-40962
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via
|
| 24 |
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 24 |
CVE-2026-33738
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the
|
| 24 |
CVE-2026-25100
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload fu
|
| 24 |
CVE-2026-1001
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerab
|
| 24 |
CVE-2026-24147
NVIDIA Triton Inference Server contains a vulnerability in triton server where a
|
| 24 |
CVE-2026-31993
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulne
|
| 24 |
CVE-2026-4816
A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support B
|
| 24 |
CVE-2026-3468
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Son
|
| 24 |
CVE-2026-1711
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site
|
| 24 |
CVE-2025-62184
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site
|
| 24 |
CVE-2026-4433
An SSH misconfigurations exists in Tenable OT that led to the potential exfiltra
|
| 24 |
CVE-2026-33621
### Summary
PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-thrott
|
| 24 |
CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before versio
|
| 24 |
CVE-2026-33869
Mastodon is a free, open-source social network server based on ActivityPub. In v
|
| 24 |
CVE-2026-32031
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypa
|
| 24 |
CVE-2026-20132
Multiple vulnerabilities in the web-based management interface of Cisco Identity
|
| 24 |
CVE-2026-20088
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20087
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20089
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20090
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20112
A vulnerability in the web-based Cisco IOx application hosting environment manag
|
| 24 |
CVE-2026-27447
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 24 |
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If
|
| 24 |
CVE-2025-66486
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote
|
| 24 |
CVE-2026-5647
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affect
|
| 24 |
CVE-2026-3218
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-34831
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 24 |
CVE-2026-34441
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 24 |
CVE-2026-32762
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2026-39812
A improper neutralization of input during web page generation ('cross-site scrip
|
| 24 |
CVE-2024-51223
A stored cross-site scripting (XSS) vulnerability in the component /admin/profil
|
| 24 |
CVE-2026-33732
## Summary
A pathname parsing discrepancy in srvx's `FastURL` allows middleware
|
| 24 |
CVE-2024-51225
A stored cross-site scripting (XSS) vulnerability in the component /admin/add-br
|
| 24 |
CVE-2024-51224
Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit
|
| 24 |
CVE-2026-35571
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache n
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |