Total CVEs
6162
last 30 days
Avg Priority
35.2
of max 220
KEV
8
actively exploited
POC
755
public exploits
Unpatched
1235
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-32515
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows
|
| 38 |
CVE-2026-32498
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-regist
|
| 38 |
CVE-2026-32495
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms
|
| 38 |
CVE-2026-32485
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 38 |
CVE-2026-27073
Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se a
|
| 38 |
CVE-2026-25456
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual
|
| 38 |
CVE-2026-25401
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo
|
| 38 |
CVE-2026-25396
Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooComme
|
| 38 |
CVE-2026-25317
Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery N
|
| 38 |
CVE-2026-25309
Missing Authorization vulnerability in PublishPress PublishPress Authors publish
|
| 38 |
CVE-2026-25026
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiti
|
| 38 |
CVE-2026-28815
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an
|
| 38 |
CVE-2026-5439
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc auto
|
| 38 |
CVE-2026-24382
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x a
|
| 38 |
CVE-2026-24363
Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms
|
| 38 |
CVE-2026-23977
Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System
|
| 38 |
CVE-2026-23806
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPre
|
| 38 |
CVE-2025-50645
A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead
|
| 38 |
CVE-2025-69358
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-cal
|
| 38 |
CVE-2025-45057
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the i
|
| 38 |
CVE-2026-34876
An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vuln
|
| 38 |
CVE-2026-40046
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ
|
| 38 |
CVE-2026-5087
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl gene
|
| 38 |
CVE-2026-20701
An access issue was addressed with additional sandbox restrictions. This issue i
|
| 38 |
CVE-2026-20639
An integer overflow was addressed with improved input validation. This issue is
|
| 38 |
CVE-2026-5438
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP reque
|
| 38 |
CVE-2026-30778
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configurat
|
| 38 |
CVE-2026-1092
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10
|
| 38 |
CVE-2026-33176
### Impact
Active Support number helpers accept strings containing scientific no
|
| 38 |
CVE-2026-33174
### Impact
When serving files through Active Storage's `Blobs::ProxyController`,
|
| 38 |
CVE-2026-33241
## Summary
Salvo's form data parsing implementations (`form_data()` method and `
|
| 38 |
CVE-2026-3608
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-
|
| 38 |
CVE-2026-4719
Incorrect boundary conditions in the Graphics: Text component. This vulnerabilit
|
| 38 |
CVE-2026-4714
Incorrect boundary conditions in the Audio/Video component. This vulnerability a
|
| 38 |
CVE-2026-4713
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2026-4708
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2026-4704
Denial-of-service in the WebRTC: Signaling component. This vulnerability affects
|
| 38 |
CVE-2026-4697
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-4695
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-4525
If a Vault auth mount is configured to pass through the "Authorization" header,
|
| 38 |
CVE-2026-28855
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 38 |
CVE-2026-4933
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions all
|
| 38 |
CVE-2026-4684
Race condition, use-after-free in the Graphics: WebRender component. This vulner
|
| 38 |
CVE-2026-5807
Vault is vulnerable to a denial-of-service condition where an unauthenticated at
|
| 38 |
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a re
|
| 38 |
CVE-2026-35042
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter
|
| 38 |
CVE-2026-5437
An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM m
|
| 38 |
CVE-2025-66769
A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attack
|
| 38 |
CVE-2026-29072
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 38 |
CVE-2025-69624
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerab
|
| 38 |
CVE-2026-31923
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
|
| 38 |
CVE-2026-28505
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. P
|
| 38 |
CVE-2026-27880
The OpenFeature feature toggle evaluation endpoint reads unbounded values into m
|
| 38 |
CVE-2026-4712
Information disclosure in the Widget: Cocoa component. This vulnerability affect
|
| 38 |
CVE-2026-5050
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulner
|
| 38 |
CVE-2026-34240
JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to vers
|
| 38 |
CVE-2026-31790
Issue summary: Applications using RSASVE key encapsulation to establish
a secret
|
| 38 |
CVE-2026-22565
An Improper Input Validation vulnerability could allow a malicious actor with ac
|
| 38 |
CVE-2026-22566
An Improper Access Control vulnerability could allow a malicious actor with acce
|
| 38 |
CVE-2026-30332
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena E
|
| 38 |
CVE-2026-28388
Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
is
|
| 38 |
CVE-2026-35467
The stored API keys in temporary browser client is not marked as protected allow
|
| 38 |
CVE-2026-4247
When a challenge ACK is to be sent tcp_respond() constructs and sends the challe
|
| 38 |
CVE-2026-33266
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The r
|
| 38 |
CVE-2026-4694
Incorrect boundary conditions, integer overflow in the Graphics component. This
|
| 38 |
CVE-2025-50664
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50661
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50671
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50670
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50665
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50666
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-34486
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the f
|
| 38 |
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handsh
|
| 38 |
CVE-2026-32280
During chain building, the amount of work that is done is not correctly limited
|
| 38 |
CVE-2026-32281
Validating certificate chains which use policies is unexpectedly inefficient whe
|
| 38 |
CVE-2026-4727
Denial-of-service in the Libraries component in NSS. This vulnerability affects
|
| 38 |
CVE-2026-4726
Denial-of-service in the XML component. This vulnerability affects Firefox < 149
|
| 38 |
CVE-2026-33697
Cocos AI is a confidential computing system for AI. The current implementation o
|
| 38 |
CVE-2026-40869
### Impact
The vulnerability allows any registered and authenticated user to acc
|
| 38 |
CVE-2026-6507
A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds wr
|
| 38 |
CVE-2026-32066
OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in th
|
| 38 |
CVE-2026-40870
### Impact
The root level `commentable` field in the API allows access to all co
|
| 38 |
CVE-2026-6372
Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisi
|
| 38 |
CVE-2026-33337
Firebird is an open-source relational database management system. In versions pr
|
| 38 |
CVE-2026-40303
**Summary**
endpoints.GetSessionCookie parses an attacker-supplied cookie chunk
|
| 38 |
CVE-2026-40890
### Summary
Processing a malformed input containing a `<` character that is not
|
| 38 |
CVE-2026-35209
### Impact
Applications that pass unsanitized user input (e.g. parsed JSON requ
|
| 38 |
CVE-2026-3104
A specially crafted domain can be used to cause a memory leak in a BIND resolver
|
| 38 |
CVE-2026-30762
Summary:
The file lightrag/api/config.py (line 397) uses a default JWT secret "l
|
| 38 |
CVE-2026-28212
Firebird is an open-source relational database management system. In versions pr
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4981d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |