Total CVEs
6152
last 30 days
Avg Priority
31.3
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
941
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
118
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
Priority Distribution
| Priority | CVE |
|---|---|
| 49 |
CVE-2026-31229
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deseri
|
| 49 |
CVE-2026-42373
D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded tel
|
| 49 |
CVE-2026-41094
Improper control of generation of code ('code injection') in Microsoft Data Form
|
| 49 |
CVE-2026-41109
Improper neutralization of special elements in output used by a downstream compo
|
| 49 |
CVE-2026-42376
D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded tel
|
| 49 |
CVE-2026-31237
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-
|
| 49 |
CVE-2026-31214
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 00
|
| 49 |
CVE-2026-41613
Session fixation in Visual Studio Code allows an unauthorized attacker to elevat
|
| 49 |
CVE-2026-31228
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code exec
|
| 49 |
CVE-2026-31233
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its
|
| 49 |
CVE-2026-31231
Cognee thru v0.4.0 contains a critical remote code execution vulnerability in it
|
| 49 |
CVE-2026-40365
Insufficient granularity of access control in Microsoft Office SharePoint allows
|
| 49 |
CVE-2026-41086
Improper access control in Windows Admin Center allows an authorized attacker to
|
| 49 |
CVE-2026-27960
OpenCTI is an open source platform for managing cyber threat intelligence knowle
|
| 49 |
CVE-2026-40636
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to
|
| 49 |
CVE-2026-43186
In the Linux kernel, the following vulnerability has been resolved:
ipv6: ioam:
|
| 49 |
CVE-2026-44888
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to
|
| 49 |
CVE-2025-14320
Improper neutralization of input during web page generation ('cross-site scripti
|
| 49 |
CVE-2026-8956
Integer overflow in the Networking: JAR component. This vulnerability was fixed
|
| 49 |
CVE-2026-7301
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0
|
| 49 |
CVE-2026-42779
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here
|
| 49 |
CVE-2026-42778
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here
|
| 49 |
CVE-2026-41507
math-codegen generates code from mathematical expressions. Prior to version 0.4.
|
| 49 |
CVE-2026-44277
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, Fo
|
| 49 |
CVE-2026-26083
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0
|
| 49 |
CVE-2026-8362
A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when
|
| 49 |
CVE-2026-44009
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows atta
|
| 49 |
CVE-2026-44183
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in
|
| 49 |
CVE-2026-31220
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remot
|
| 49 |
CVE-2026-47323
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filteri
|
| 49 |
CVE-2026-2347
Authorization bypass through User-Controlled key vulnerability in Akilli Commerc
|
| 49 |
CVE-2026-42758
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias Webinar
|
| 49 |
CVE-2026-8500
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.
Web::Passwd is
|
| 49 |
CVE-2026-42473
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The se
|
| 49 |
CVE-2026-42472
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The se
|
| 49 |
CVE-2026-42072
Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-
|
| 49 |
CVE-2026-43512
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication
|
| 49 |
CVE-2026-31070
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticat
|
| 49 |
CVE-2026-41293
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Ap
|
| 49 |
CVE-2026-32253
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2
|
| 49 |
CVE-2026-43992
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-securit
|
| 49 |
CVE-2026-7415
The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymo
|
| 49 |
CVE-2025-63706
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
|
| 49 |
CVE-2025-6577
Improper neutralization of special elements used in an SQL command ('SQL injecti
|
| 49 |
CVE-2025-11024
Improper neutralization of special elements used in an SQL command ('SQL injecti
|
| 49 |
CVE-2026-30118
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SS
|
| 49 |
CVE-2026-38429
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin I
|
| 49 |
CVE-2026-43341
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: i
|
| 49 |
CVE-2026-43304
In the Linux kernel, the following vulnerability has been resolved:
libceph: de
|
| 49 |
CVE-2026-43011
In the Linux kernel, the following vulnerability has been resolved:
net/x25: Fi
|
| 49 |
CVE-2026-43037
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel:
|
| 49 |
CVE-2026-43038
In the Linux kernel, the following vulnerability has been resolved:
ipv6: icmp:
|
| 49 |
CVE-2026-43067
In the Linux kernel, the following vulnerability has been resolved:
ext4: handl
|
| 49 |
CVE-2026-43378
In the Linux kernel, the following vulnerability has been resolved:
smb: server
|
| 49 |
CVE-2025-67887
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with
|
| 49 |
CVE-2026-7385
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to co
|
| 49 |
CVE-2026-30496
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) e
|
| 49 |
CVE-2026-31235
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability
|
| 49 |
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-
|
| 49 |
CVE-2026-31236
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability vi
|
| 49 |
CVE-2026-31230
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line arg
|
| 49 |
CVE-2026-31217
The _load_model() function in the neural_magic_training.py script of the optimat
|
| 49 |
CVE-2026-30117
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerab
|
| 49 |
CVE-2026-31239
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserial
|
| 49 |
CVE-2026-38992
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the fi
|
| 49 |
CVE-2026-38431
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SS
|
| 49 |
CVE-2026-31705
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix
|
| 49 |
CVE-2026-28780
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
|
| 49 |
CVE-2026-43125
In the Linux kernel, the following vulnerability has been resolved:
dlm: valida
|
| 49 |
CVE-2026-43414
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2x
|
| 49 |
CVE-2026-45391
Reserved. Details will be published at disclosure.
|
| 49 |
CVE-2026-43039
In the Linux kernel, the following vulnerability has been resolved:
net: ti: ic
|
| 49 |
CVE-2026-31718
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix
|
| 49 |
CVE-2026-43379
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix
|
| 49 |
CVE-2026-43384
In the Linux kernel, the following vulnerability has been resolved:
net/tcp-ao:
|
| 49 |
CVE-2026-45392
Reserved. Details will be published at disclosure.
|
| 49 |
CVE-2026-45393
Reserved. Details will be published at disclosure.
|
| 49 |
CVE-2025-63703
npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
|
| 49 |
CVE-2025-69599
RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges
|
| 49 |
CVE-2026-48902
The password and username reset features created plain http links for https conn
|
| 49 |
CVE-2026-43493
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcr
|
| 49 |
CVE-2026-8376
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular
|
| 49 |
CVE-2026-8401
Sandbox escape in the Profile Backup component. This vulnerability was fixed in
|
| 49 |
CVE-2026-43376
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix
|
| 49 |
CVE-2026-43185
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix
|
| 49 |
CVE-2026-43402
In the Linux kernel, the following vulnerability has been resolved:
kthread: co
|
| 49 |
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The
|
| 49 |
CVE-2025-65719
An issue in Open Source Kubectl MCP Server v1.1.1 allows attackers to execute ar
|
| 49 |
CVE-2025-70067
Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX I
|
| 49 |
CVE-2026-43208
In the Linux kernel, the following vulnerability has been resolved:
net: do not
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |