Total CVEs
5639
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
761
public exploits
Unpatched
1092
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 35 |
CVE-2026-41253
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS
|
| 34 |
CVE-2026-32962
SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing au
|
| 34 |
CVE-2026-5672
A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0.
|
| 34 |
CVE-2026-32961
SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based
|
| 34 |
CVE-2026-32958
SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cry
|
| 34 |
CVE-2026-5669
A vulnerability has been found in Cyber-III Student-Management-System up to 1a93
|
| 34 |
CVE-2026-5663
A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the
|
| 34 |
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an
|
| 34 |
CVE-2026-32964
SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper
|
| 34 |
CVE-2026-32957
SD-330AC and AMC Manager provided by silex technology, Inc. contain a missing au
|
| 34 |
CVE-2026-6437
Improper neutralization of argument delimiters in the volume handling component
|
| 34 |
CVE-2026-5691
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This af
|
| 34 |
CVE-2026-40476
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the
|
| 34 |
CVE-2026-40299
next-intl provides internationalization for Next.js. Applications using the `nex
|
| 34 |
CVE-2026-31927
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows pat
|
| 34 |
CVE-2026-40306
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 34 |
CVE-2026-5689
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affec
|
| 34 |
CVE-2026-5690
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted ele
|
| 34 |
CVE-2025-59709
An issue was discovered in Biztalk360 through 11.5. because of mishandling of us
|
| 34 |
CVE-2026-31067
A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect
|
| 34 |
CVE-2026-32223
Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized at
|
| 34 |
CVE-2026-40490
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTT
|
| 34 |
CVE-2026-33691
The OWASP core rule set (CRS) is a set of generic attack detection rules for use
|
| 34 |
CVE-2026-3112
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.
|
| 34 |
CVE-2026-32567
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 34 |
CVE-2026-27855
Dovecot OTP authentication is vulnerable to replay attack under specific conditi
|
| 34 |
CVE-2026-33220
Weblate is a web based localization tool. In versions prior to 5.17, the transla
|
| 34 |
CVE-2026-5893
Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to
|
| 34 |
CVE-2026-34775
### Impact
The `nodeIntegrationInWorker` webPreference was not correctly scoped
|
| 34 |
CVE-2026-31951
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 thr
|
| 34 |
CVE-2026-34080
xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a pol
|
| 34 |
CVE-2026-4818
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which
|
| 34 |
CVE-2026-32279
# Security Advisory - Page Management Plugin (SSRF)
## Summary
A Server-Side R
|
| 34 |
CVE-2026-33486
This vulnerability allows an authenticated attacker to read any file on the serv
|
| 34 |
CVE-2026-25328
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 34 |
CVE-2026-33308
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.
|
| 34 |
CVE-2026-39961
Aiven Operator allows you to provision and manage Aiven Services from your Kuber
|
| 34 |
CVE-2025-31991
Rate Limiting for attempting a user login is not being properly enforced, making
|
| 34 |
CVE-2025-43534
A path handling issue was addressed with improved validation. This issue is fixe
|
| 34 |
CVE-2026-4931
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settl
|
| 34 |
CVE-2026-35586
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 34 |
CVE-2026-35577
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operat
|
| 34 |
CVE-2026-30817
An external configuration control vulnerability in the OpenVPN module of TP-Link
|
| 34 |
CVE-2026-28741
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.
|
| 34 |
CVE-2026-30816
An external control of configuration vulnerability in the OpenVPN module of TP-L
|
| 34 |
CVE-2026-31850
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitiv
|
| 34 |
CVE-2026-33786
An Improper Check for Unusual or Exceptional Conditions vulnerability in the cha
|
| 34 |
CVE-2026-40191
ClearanceKit intercepts file-system access events on macOS and enforces per-proc
|
| 34 |
CVE-2026-33787
An Improper Check for Unusual or Exceptional Conditions vulnerability in the cha
|
| 34 |
CVE-2026-33990
## Summary
Docker Model Runner contains an SSRF vulnerability in its OCI registr
|
| 34 |
CVE-2026-21012
External control of file name in AODManager prior to SMR Apr-2026 Release 1 allo
|
| 34 |
CVE-2026-33572
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly bro
|
| 34 |
CVE-2026-40253
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In ver
|
| 34 |
CVE-2026-33776
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS an
|
| 34 |
CVE-2026-33997
## Summary
A security vulnerability has been detected that allows [plugins](htt
|
| 34 |
CVE-2026-30603
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.164
|
| 34 |
CVE-2026-4482
The installer certificate files in the …/bootstrap/common/ssl folder do not seem
|
| 34 |
CVE-2026-34864
Boundary-unlimited vulnerability in the application read module.
Impact: Success
|
| 34 |
CVE-2025-33216
NVIDIA SNAP-4 Container contains a vulnerability in the configuration interface
|
| 34 |
CVE-2025-33215
NVIDIA SNAP-4 Container contains a vulnerability in the VIRTIO-BLK component whe
|
| 34 |
CVE-2026-40284
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10,
|
| 34 |
CVE-2026-40574
### Impact
An authorization bypass exists in OAuth2 Proxy as part of the `email
|
| 34 |
CVE-2026-40283
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10,
|
| 34 |
CVE-2026-33623
### Summary
PinchTab `v0.8.4` contains a Windows-only command injection issue in
|
| 34 |
CVE-2026-23653
Improper neutralization of special elements used in a command ('command injectio
|
| 34 |
CVE-2026-0390
Reliance on untrusted inputs in a security decision in Windows Boot Loader allow
|
| 34 |
CVE-2026-23779
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 34 |
CVE-2026-35074
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release
|
| 34 |
CVE-2026-35073
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release
|
| 34 |
CVE-2026-35072
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release
|
| 34 |
CVE-2026-25691
A improper limitation of a pathname to a restricted directory ('path traversal')
|
| 34 |
CVE-2026-33549
SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment
|
| 34 |
CVE-2025-64340
Server names containing shell metacharacters (e.g., `&`) can cause command injec
|
| 34 |
CVE-2026-32948
### Summary
On Windows, sbt uses `Process("cmd", "/c", ...)` to run VCS commands
|
| 34 |
CVE-2026-32496
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 34 |
CVE-2026-39809
A improper neutralization of special elements used in an sql command ('sql injec
|
| 34 |
CVE-2026-35153
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release
|
| 34 |
CVE-2026-27774
Local privilege escalation due to DLL hijacking vulnerability. The following pro
|
| 34 |
CVE-2026-28728
Local privilege escalation due to DLL hijacking vulnerability. The following pro
|
| 34 |
CVE-2026-39814
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2
|
| 34 |
CVE-2026-25206
Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource
|
| 34 |
CVE-2026-34871
An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA
|
| 34 |
CVE-2026-39389
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 34 |
CVE-2026-40224
In systemd 259 before 260, there is local privilege escalation in systemd-machin
|
| 34 |
CVE-2026-4878
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-chec
|
| 34 |
CVE-2025-14917
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 34 |
CVE-2026-33271
Local privilege escalation due to insecure folder permissions. The following pro
|
| 34 |
CVE-2026-5165
A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) devic
|
| 34 |
CVE-2026-5164
A flaw was found in virtio-win. The `RhelDoUnMap()` function does not properly v
|
| 34 |
CVE-2026-34863
Out-of-bounds write vulnerability in the file system.
Impact: Successful exploit
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2305d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |