Total CVEs
5644
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
764
public exploits
Unpatched
1091
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 34 |
CVE-2025-14917
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 34 |
CVE-2026-5164
A flaw was found in virtio-win. The `RhelDoUnMap()` function does not properly v
|
| 34 |
CVE-2026-34863
Out-of-bounds write vulnerability in the file system.
Impact: Successful exploit
|
| 34 |
CVE-2026-32901
OpenClaw before 2026.3.2 contains a semantic drift vulnerability in node system.
|
| 33 |
CVE-2026-34515
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 33 |
CVE-2025-46641
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 33 |
CVE-2025-46607
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 33 |
CVE-2026-34388
Fleet is open source device management software. Prior to 4.81.0, a denial-of-se
|
| 33 |
CVE-2026-34516
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 33 |
CVE-2026-20202
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splu
|
| 33 |
CVE-2026-5892
Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55
|
| 33 |
CVE-2026-21010
Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows
|
| 33 |
CVE-2026-33182
### Impact
Users providing user generated input into the `resolveEndpoint` metho
|
| 33 |
CVE-2026-34391
Fleet is open source device management software. Prior to 4.81.1, a vulnerabilit
|
| 33 |
CVE-2026-35197
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1
|
| 33 |
CVE-2025-43937
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sens
|
| 33 |
CVE-2026-27102
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 t
|
| 33 |
CVE-2026-4837
An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic fo
|
| 33 |
CVE-2026-35479
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 33 |
CVE-2026-33334
Vikunja is an open-source self-hosted task management platform. Starting in vers
|
| 33 |
CVE-2026-33336
Vikunja is an open-source self-hosted task management platform. Starting in vers
|
| 33 |
CVE-2026-3689
OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulner
|
| 33 |
CVE-2026-34401
XML Notepad is a Windows program that provides a simple intuitive User Interface
|
| 33 |
CVE-2026-5758
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-
|
| 33 |
CVE-2026-26155
Microsoft Local Security Authority Subsystem Service Information Disclosure Vuln
|
| 33 |
CVE-2026-2436
A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-
|
| 33 |
CVE-2026-0966
The API function `ssh_get_hexa()` is vulnerable, when 0-lenght
input is provided
|
| 33 |
CVE-2026-2582
The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitra
|
| 33 |
CVE-2026-3309
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User
|
| 33 |
CVE-2026-20095
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 33 |
CVE-2026-20078
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated,
|
| 33 |
CVE-2026-20081
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated,
|
| 33 |
CVE-2026-20096
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 33 |
CVE-2026-32151
Exposure of sensitive information to an unauthorized actor in Windows Shell allo
|
| 33 |
CVE-2026-2265
An unauthenticated remote code execution (RCE) vulnerability exists in applicati
|
| 33 |
CVE-2026-20431
In Modem, there is a possible system crash due to a logic error. This could lead
|
| 33 |
CVE-2026-20097
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 33 |
CVE-2026-27925
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an u
|
| 33 |
CVE-2026-34733
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 33 |
CVE-2026-34978
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 33 |
CVE-2026-33882
### Impact
The markdown preview endpoint could be manipulated to return augmente
|
| 33 |
CVE-2026-33750
### Impact
A brace pattern with a zero step value (e.g., `{1..2..0}`) causes th
|
| 33 |
CVE-2026-4817
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for
|
| 33 |
CVE-2026-22573
An improper limitation of a pathname to a restricted directory ('path traversal'
|
| 33 |
CVE-2026-32215
Insertion of sensitive information into log file in Windows Kernel allows an aut
|
| 33 |
CVE-2026-32218
Insertion of sensitive information into log file in Windows Kernel allows an aut
|
| 33 |
CVE-2026-32217
Insertion of sensitive information into log file in Windows Kernel allows an aut
|
| 33 |
CVE-2026-34750
Payload is a free and open source headless content management system. Prior to v
|
| 33 |
CVE-2026-33768
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverles
|
| 33 |
CVE-2026-34787
Emlog is an open source website building system. In versions 2.6.2 and prior, a
|
| 33 |
CVE-2026-34832
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.6
|
| 33 |
CVE-2026-35549
An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x
|
| 33 |
CVE-2026-40491
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 a
|
| 33 |
CVE-2026-22616
Eaton Intelligent Power Protector (IPP) software allows repeated authentication
|
| 33 |
CVE-2026-33693
### Summary
The `v4_is_invalid()` function in `activitypub-federation-rust` (`s
|
| 33 |
CVE-2026-33148
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 33 |
CVE-2025-10736
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 33 |
CVE-2026-5885
Insufficient validation of untrusted input in WebML in Google Chrome on Windows
|
| 33 |
CVE-2026-3488
The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in
|
| 33 |
CVE-2026-39943
Directus is a real-time API and App dashboard for managing SQL database content.
|
| 33 |
CVE-2026-33528
## Summary
The file content API endpoint at `/api/v1/file/content` is vulnerabl
|
| 33 |
CVE-2026-33983
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 33 |
CVE-2026-2950
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti
|
| 33 |
CVE-2026-25209
Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource
|
| 33 |
CVE-2026-1710
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnera
|
| 33 |
CVE-2026-35599
## Summary
The `addRepeatIntervalToTime` function uses an O(n) loop that advanc
|
| 33 |
CVE-2026-34939
### Summary
`MCPToolIndex.search_tools()` compiles a caller-supplied string dir
|
| 33 |
CVE-2026-33438
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 33 |
CVE-2026-32079
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 33 |
CVE-2026-33459
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of serv
|
| 33 |
CVE-2026-32081
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 33 |
CVE-2026-3138
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to
|
| 33 |
CVE-2026-32085
Exposure of sensitive information to an unauthorized actor in Windows Remote Pro
|
| 33 |
CVE-2026-27460
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 33 |
CVE-2026-35034
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 c
|
| 33 |
CVE-2026-40105
### Impact
A reflected cross-site scripting vulnerability (XSS) in the compare v
|
| 33 |
CVE-2026-33743
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 33 |
CVE-2026-30662
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File
|
| 33 |
CVE-2026-6385
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability b
|
| 33 |
CVE-2026-33541
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Sa
|
| 33 |
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0,
|
| 33 |
CVE-2026-34531
## Summary
In a situation where the client makes a request to a token protected
|
| 33 |
CVE-2026-5025
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticat
|
| 33 |
CVE-2026-23487
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there
|
| 33 |
CVE-2026-34500
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 33 |
CVE-2026-5283
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 a
|
| 33 |
CVE-2026-5876
Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7
|
| 33 |
CVE-2026-6364
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a re
|
| 33 |
CVE-2026-39848
Dockyard is a Docker container management app. Prior to 1.1.0, Docker container
|
| 33 |
CVE-2026-29905
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions t
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2305d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |