Total CVEs
5692
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
773
public exploits
Unpatched
1564
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2026-4679
Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a rem
|
| 44 |
CVE-2026-4674
Out of bounds read in CSS in Google Chrome prior to 146.0.7680.165 allowed a rem
|
| 44 |
CVE-2026-32276
# Security Advisory - Code Study Plugin
## Summary
An authenticated user may b
|
| 44 |
CVE-2026-33506
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flo
|
| 44 |
CVE-2026-32974
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Fei
|
| 44 |
CVE-2026-33507
## Summary
The `objects/pluginImport.json.php` endpoint allows admin users to u
|
| 44 |
CVE-2026-33686
### Summary
A path traversal vulnerability exists in the FileUtil class of the c
|
| 44 |
CVE-2026-4677
Inappropriate implementation in WebAudio in Google Chrome prior to 146.0.7680.16
|
| 44 |
CVE-2026-35168
OpenSTAManager is an open source management software for technical assistance an
|
| 44 |
CVE-2026-33898
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 44 |
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injecti
|
| 44 |
CVE-2025-59710
An issue was discovered in Biztalk360 before 11.5. Because of incorrect access c
|
| 44 |
CVE-2026-20433
In Modem, there is a possible out of bounds write due to a missing bounds check.
|
| 44 |
CVE-2026-4675
Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a
|
| 44 |
CVE-2026-4673
Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowe
|
| 44 |
CVE-2026-32013
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability i
|
| 44 |
CVE-2026-27894
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr
|
| 44 |
CVE-2026-5027
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter fro
|
| 44 |
CVE-2026-32973
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where
|
| 44 |
CVE-2026-22790
EVerest is an EV charging software stack. Prior to version 2026.02.0, `HomeplugM
|
| 44 |
CVE-2026-29056
Kanboard is project management software focused on Kanban methodology. Prior to
|
| 44 |
CVE-2026-33310
### Summary
The shell() syntax within parameter default values appears to be aut
|
| 44 |
CVE-2025-70887
An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate
|
| 44 |
CVE-2026-32693
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set"
|
| 44 |
CVE-2026-5465
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress i
|
| 44 |
CVE-2026-33053
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
|
| 44 |
CVE-2026-5144
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalat
|
| 44 |
CVE-2026-32513
Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List
|
| 44 |
CVE-2026-3666
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion i
|
| 44 |
CVE-2026-25445
Deserialization of Untrusted Data vulnerability in Membership Software WishList
|
| 44 |
CVE-2026-4451
Insufficient validation of untrusted input in Navigation in Google Chrome prior
|
| 44 |
CVE-2026-35567
ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRol
|
| 44 |
CVE-2026-39891
## Summary
Direct insertion of unescaped user input into template-rendering tool
|
| 44 |
CVE-2026-28228
OpenOlat is an open source web-based e-learning platform for teaching, learning,
|
| 44 |
CVE-2026-33991
WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the
|
| 44 |
CVE-2025-50881
The `flow/admin/moniteur.php` script in Use It Flow administration website befor
|
| 44 |
CVE-2026-4946
Ghidra versions prior to 12.0.3 improperly process annotation directives embedde
|
| 44 |
CVE-2026-33687
### Summary
The `code16/sharp` Laravel admin panel package contains a vulnerabi
|
| 44 |
CVE-2025-15540
"Functions" module in Raytha CMS allows privileged users to write custom code to
|
| 44 |
CVE-2026-24164
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserializati
|
| 44 |
CVE-2026-33511
pyLoad is a free and open-source download manager written in Python. From versio
|
| 44 |
CVE-2025-67030
Directory Traversal vulnerability in the extractFile method of org.codehaus.plex
|
| 44 |
CVE-2026-33717
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 44 |
CVE-2026-39937
Improper removal of sensitive information before storage or transfer vulnerabili
|
| 44 |
CVE-2026-34184
Hydrosystem Control System does not enforce authorization for some directories.
|
| 44 |
CVE-2026-35044
## Summary
The Dockerfile generation function `generate_containerfile()` in `sr
|
| 44 |
CVE-2026-2931
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object
|
| 44 |
CVE-2026-4314
The 'The Ultimate WordPress Toolkit - WP Extended' plugin for WordPress is vulne
|
| 44 |
CVE-2026-4342
A security issue was discovered in ingress-nginx where a combination of Ingress
|
| 44 |
CVE-2026-33854
Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This iss
|
| 44 |
CVE-2026-4261
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in a
|
| 44 |
CVE-2026-33848
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerab
|
| 44 |
CVE-2026-23514
Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks
|
| 44 |
CVE-2026-4484
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in
|
| 44 |
CVE-2025-10681
Storage credentials are hardcoded in the mobile app and device firmware. These c
|
| 44 |
CVE-2026-33849
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerab
|
| 44 |
CVE-2026-2941
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized
|
| 44 |
CVE-2026-35610
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and ea
|
| 44 |
CVE-2026-33510
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scri
|
| 44 |
CVE-2026-5286
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote
|
| 44 |
CVE-2026-33124
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 44 |
CVE-2026-4447
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allo
|
| 44 |
CVE-2026-5287
Use after free in PDF in Google Chrome prior to 146.0.7680.178 allowed a remote
|
| 44 |
CVE-2026-5866
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote
|
| 44 |
CVE-2026-5279
Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remot
|
| 44 |
CVE-2026-4374
Improper Restriction of XML External Entity Reference vulnerability in RTI Conne
|
| 44 |
CVE-2026-4450
Out of bounds write in V8 in Google Chrome prior to 146.0.7680.153 allowed a rem
|
| 44 |
CVE-2026-4464
Integer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a rem
|
| 44 |
CVE-2026-4462
Out of bounds read in Blink in Google Chrome prior to 146.0.7680.153 allowed a r
|
| 44 |
CVE-2026-22730
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionCon
|
| 44 |
CVE-2026-5274
Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a re
|
| 44 |
CVE-2026-4441
Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote
|
| 44 |
CVE-2026-4452
Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 al
|
| 44 |
CVE-2026-5909
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-4460
Out of bounds read in Skia in Google Chrome prior to 146.0.7680.153 allowed a re
|
| 44 |
CVE-2026-5275
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 146.0.7680.178 al
|
| 44 |
CVE-2026-4457
Type Confusion in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote a
|
| 44 |
CVE-2026-4456
Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.1
|
| 44 |
CVE-2026-4461
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allo
|
| 44 |
CVE-2026-4449
Use after free in Blink in Google Chrome prior to 146.0.7680.153 allowed a remot
|
| 44 |
CVE-2026-5908
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-4454
Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a rem
|
| 44 |
CVE-2026-5910
Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remo
|
| 44 |
CVE-2026-5278
Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 a
|
| 44 |
CVE-2026-5280
Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a r
|
| 44 |
CVE-2026-5285
Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remot
|
| 44 |
CVE-2026-4445
Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remo
|
| 44 |
CVE-2026-4446
Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remo
|
| 44 |
CVE-2026-5292
Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed
|
| 44 |
CVE-2026-27893
vLLM is an inference and serving engine for large language models (LLMs). Starti
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |