Total CVEs
6156
last 30 days
Avg Priority
35.2
of max 220
KEV
8
actively exploited
POC
755
public exploits
Unpatched
1230
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-40869
### Impact
The vulnerability allows any registered and authenticated user to acc
|
| 38 |
CVE-2026-40890
### Summary
Processing a malformed input containing a `<` character that is not
|
| 38 |
CVE-2026-34232
Firebird is an open-source relational database management system. In versions pr
|
| 38 |
CVE-2026-35401
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.5
|
| 38 |
CVE-2026-33756
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.5
|
| 38 |
CVE-2026-35465
SecureDrop Client is a desktop app for journalists to securely communicate with
|
| 38 |
CVE-2026-40870
### Impact
The root level `commentable` field in the API allows access to all co
|
| 38 |
CVE-2026-35209
### Impact
Applications that pass unsanitized user input (e.g. parsed JSON requ
|
| 38 |
CVE-2026-35215
Firebird is an open-source relational database management system. In versions pr
|
| 38 |
CVE-2026-6507
A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds wr
|
| 37 |
CVE-2026-0522
A local file inclusion vulnerability in the upload/download flow of the VertiGIS
|
| 37 |
CVE-2026-3690
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows r
|
| 37 |
CVE-2026-32631
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 d
|
| 37 |
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 37 |
CVE-2026-5988
A vulnerability was detected in Tenda F451 1.0.0.7. This impacts the function fo
|
| 37 |
CVE-2026-6137
A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected elem
|
| 37 |
CVE-2026-5990
A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this vulnerabi
|
| 37 |
CVE-2026-5991
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the f
|
| 37 |
CVE-2026-5992
A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function
|
| 37 |
CVE-2026-4975
A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the funct
|
| 37 |
CVE-2026-4974
A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the fu
|
| 37 |
CVE-2026-5980
A flaw has been found in D-Link DIR-605L 2.13B01. Affected by this issue is the
|
| 37 |
CVE-2026-5983
A vulnerability was determined in D-Link DIR-605L 2.13B01. This issue affects th
|
| 37 |
CVE-2026-33804
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass w
|
| 37 |
CVE-2026-33667
OpenProject is an open-source project management application. In versions prior
|
| 37 |
CVE-2026-32156
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an u
|
| 37 |
CVE-2026-5629
A vulnerability was detected in Belkin F9K1015 1.00.10. The affected element is
|
| 37 |
CVE-2026-34727
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0,
|
| 37 |
CVE-2026-34076
## Summary
The `clerkFrontendApiProxy` function in `@clerk/backend` is vulnerab
|
| 37 |
CVE-2026-33735
MyTube is a self-hosted downloader and player for several video websites Prior t
|
| 37 |
CVE-2026-4282
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 37 |
CVE-2026-33745
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 37 |
CVE-2026-40153
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_com
|
| 37 |
CVE-2026-33247
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 37 |
CVE-2026-2332
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when ch
|
| 37 |
CVE-2026-27856
Doveadm credentials are verified using direct comparison which is susceptible to
|
| 37 |
CVE-2026-33488
## Summary
The `createKeys()` function in the LoginControl plugin's PGP 2FA sys
|
| 37 |
CVE-2026-2378
ArcSearch for Android versions prior to 1.12.7 could display a different domain
|
| 37 |
CVE-2026-33643
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the
|
| 37 |
CVE-2026-29953
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the
|
| 37 |
CVE-2026-23364
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Comp
|
| 37 |
CVE-2026-20004
A vulnerability in the TLS library of Cisco IOS XE Software could allow an unaut
|
| 37 |
CVE-2026-5984
A vulnerability was identified in D-Link DIR-605L 2.13B01. Impacted is the funct
|
| 37 |
CVE-2026-2450
.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions
|
| 37 |
CVE-2026-33896
## Summary
`pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstr
|
| 37 |
CVE-2026-4428
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 cause
|
| 37 |
CVE-2026-4371
A malicious mail server could send malformed strings with negative lengths, caus
|
| 37 |
CVE-2026-34359
## Summary
`ManagedWebAccessUtils.getServer()` uses `String.startsWith()` to ma
|
| 37 |
CVE-2026-41035
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value
|
| 37 |
CVE-2026-25207
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflo
|
| 37 |
CVE-2026-25205
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows
|
| 37 |
CVE-2026-4600
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verif
|
| 37 |
CVE-2026-35099
Lakeside SysTrack Agent 11 before 11.2.1.28 has a race condition with resultant
|
| 37 |
CVE-2026-41015
radare2 before 9236f44, when configured on UNIX without SSL, allows command inje
|
| 37 |
CVE-2026-32887
## Versions
- `effect`: 3.19.15
- `@effect/rpc`: 0.72.1
- `@effect/platform`: 0
|
| 37 |
CVE-2025-15607
A command injection vulnerability on AX53 v1 occurs in mscd debug functionality
|
| 37 |
CVE-2026-35535
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgr
|
| 37 |
CVE-2026-5687
A weakness has been identified in Tenda CX12L 16.03.53.12. This issue affects th
|
| 37 |
CVE-2026-22173
OpenClaw versions prior to 2026.2.18 contain a command injection vulnerability i
|
| 37 |
CVE-2026-5795
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication chec
|
| 37 |
CVE-2026-5686
A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerabili
|
| 37 |
CVE-2026-30616
Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO comm
|
| 37 |
CVE-2025-10679
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 37 |
CVE-2026-32149
Improper input validation in Windows Hyper-V allows an authorized attacker to ex
|
| 37 |
CVE-2026-4982
A user with permission "update world" in any Venueless world is able to exfiltra
|
| 37 |
CVE-2026-33492
## Summary
AVideo's `_session_start()` function accepts arbitrary session IDs v
|
| 37 |
CVE-2026-35489
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 37 |
CVE-2026-24156
NVIDIA DALI contains a vulnerability where an attacker could cause a deserializa
|
| 37 |
CVE-2026-1345
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 37 |
CVE-2026-3877
A reflected cross-site scripting (XSS) vulnerability in the dashboard search fun
|
| 37 |
CVE-2026-33045
Home Assistant is open source home automation software that puts local control a
|
| 37 |
CVE-2026-33044
Home Assistant is open source home automation software that puts local control a
|
| 37 |
CVE-2026-33881
Windmill is an open-source developer platform for internal code: APIs, backgroun
|
| 37 |
CVE-2026-39306
### Summary
PraisonAI's recipe registry pull flow extracts attacker-controlled
|
| 37 |
CVE-2026-5599
A user with API access and "manage users" permission in any venueless
world is
|
| 37 |
CVE-2026-32971
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-h
|
| 37 |
CVE-2026-20151
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SS
|
| 37 |
CVE-2026-33664
Kestra is an open-source, event-driven orchestration platform Versions up to and
|
| 37 |
CVE-2026-35558
Improper neutralization of special elements in the authentication components in
|
| 37 |
CVE-2025-64998
Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 all
|
| 37 |
CVE-2026-1679
The eswifi socket offload driver copies user-provided payloads into a fixed buff
|
| 37 |
CVE-2026-3872
A flaw was found in Keycloak. This issue allows an attacker, who controls anothe
|
| 37 |
CVE-2026-35574
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored C
|
| 37 |
CVE-2026-4107
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 37 |
CVE-2026-4615
A vulnerability was identified in SourceCodester Online Catering Reservation 1.0
|
| 37 |
CVE-2026-28703
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 37 |
CVE-2026-4108
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 37 |
CVE-2026-28754
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 37 |
CVE-2026-3879
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 37 |
CVE-2026-37336
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Inj
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4981d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |