Total CVEs
6155
last 30 days
Avg Priority
35.1
of max 220
KEV
8
actively exploited
POC
755
public exploits
Unpatched
1232
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-2285
CrewAI contains a arbitrary local file read vulnerability in the JSON loader too
|
| 38 |
CVE-2026-3124
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Objec
|
| 38 |
CVE-2026-28876
A parsing issue in the handling of directory paths was addressed with improved p
|
| 38 |
CVE-2026-25312
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly
|
| 38 |
CVE-2026-33540
Distribution is a toolkit to pack, ship, store, and deliver container content. P
|
| 38 |
CVE-2026-25397
Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for
|
| 38 |
CVE-2026-5756
Unauthenticated Configuration File Modification Vulnerability in DRC Central Off
|
| 38 |
CVE-2026-34209
### Impact
The `tempo/session` cooperative close handler validated the close vo
|
| 38 |
CVE-2026-4748
A regression in the way hashes were calculated caused rules containing the addre
|
| 38 |
CVE-2026-3029
A path traversal and arbitrary file write vulnerability exist in the embedded ge
|
| 38 |
CVE-2026-33034
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4
|
| 38 |
CVE-2026-25002
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPr
|
| 38 |
CVE-2026-24372
Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for W
|
| 38 |
CVE-2026-2328
An unauthenticated remote attacker can exploit insufficient input validation to
|
| 38 |
CVE-2026-5440
A memory exhaustion vulnerability exists in the HTTP server due to unbounded use
|
| 38 |
CVE-2026-34824
### Summary
An uncontrolled resource consumption vulnerability exists in the Web
|
| 38 |
CVE-2025-12664
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0
|
| 38 |
CVE-2026-22448
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 38 |
CVE-2026-33487
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6
|
| 38 |
CVE-2026-4652
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel pa
|
| 38 |
CVE-2026-33242
### Details
A Path Traversal and Access Control Bypass vulnerability was discov
|
| 38 |
CVE-2026-5086
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing att
|
| 38 |
CVE-2026-28377
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintex
|
| 38 |
CVE-2026-4709
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerabil
|
| 38 |
CVE-2025-46597
Bitcoin Core 0.13.0 through 29.x has an integer overflow.
|
| 38 |
CVE-2026-4707
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2026-4706
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2025-59440
An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2025-50667
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-62188
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exis
|
| 38 |
CVE-2026-4699
Incorrect boundary conditions in the Layout: Text and Fonts component. This vuln
|
| 38 |
CVE-2026-32287
Boolean XPath expressions that evaluate to true can cause an infinite loop in lo
|
| 38 |
CVE-2026-4693
Incorrect boundary conditions in the Audio/Video: Playback component. This vulne
|
| 38 |
CVE-2025-50669
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and DI-8003G
|
| 38 |
CVE-2025-50652
An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id par
|
| 38 |
CVE-2025-50657
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-4686
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2026-4685
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab
|
| 38 |
CVE-2025-50668
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-24880
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
|
| 38 |
CVE-2025-54324
An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2025-50663
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-57835
An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor,
|
| 38 |
CVE-2026-34487
Insertion of Sensitive Information into Log File vulnerability in the cloud memb
|
| 38 |
CVE-2026-30080
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity pro
|
| 38 |
CVE-2025-50655
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-4437
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that sp
|
| 38 |
CVE-2025-56015
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI AP
|
| 38 |
CVE-2026-33282
## Summary
Ella Core panics when processing a malformed NGAP LocationReport mes
|
| 38 |
CVE-2026-29129
Configured cipher preference order not preserved vulnerability in Apache Tomcat.
|
| 38 |
CVE-2025-50644
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50647
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specificall
|
| 38 |
CVE-2025-50650
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inade
|
| 38 |
CVE-2026-39304
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apa
|
| 38 |
CVE-2025-50648
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inade
|
| 38 |
CVE-2025-50660
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50649
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-34483
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
|
| 38 |
CVE-2025-50646
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insuf
|
| 38 |
CVE-2026-29146
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default
|
| 38 |
CVE-2025-50653
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50654
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-34904
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media
|
| 38 |
CVE-2025-50659
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-52222
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G
|
| 38 |
CVE-2026-5088
Apache::API::Password versions through v0.5.2 for Perl can generate insecure ran
|
| 38 |
CVE-2026-28842
The issue was addressed with improved bounds checks. This issue is fixed in macO
|
| 38 |
CVE-2026-20622
A privacy issue was addressed with improved handling of temporary files. This is
|
| 38 |
CVE-2026-28837
A logic issue was addressed with improved checks. This issue is fixed in macOS T
|
| 38 |
CVE-2025-50672
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-34896
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction,
|
| 38 |
CVE-2025-50673
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50662
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-67841
Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmi
|
| 38 |
CVE-2025-45057
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the i
|
| 38 |
CVE-2026-3573
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) all
|
| 38 |
CVE-2026-32286
The DataRow.Decode function fails to properly validate field lengths. A maliciou
|
| 38 |
CVE-2026-32285
The Delete function fails to properly validate offsets when processing malformed
|
| 38 |
CVE-2026-32284
The msgpack decoder fails to properly validate the input buffer length when proc
|
| 38 |
CVE-2025-45058
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the f
|
| 38 |
CVE-2026-23482
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the fi
|
| 38 |
CVE-2026-28815
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an
|
| 38 |
CVE-2026-32515
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows
|
| 38 |
CVE-2026-40046
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ
|
| 38 |
CVE-2026-32498
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-regist
|
| 38 |
CVE-2026-32495
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms
|
| 38 |
CVE-2026-32485
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 38 |
CVE-2026-27073
Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se a
|
| 38 |
CVE-2026-5438
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP reque
|
| 38 |
CVE-2026-25456
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4981d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |