Total CVEs
6303
last 30 days
Avg Priority
30.6
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
937
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
118
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2026-8955
Privilege escalation in the DOM: Workers component. This vulnerability was fixed
|
| 44 |
CVE-2026-8957
Privilege escalation in the Enterprise Policies component. This vulnerability wa
|
| 44 |
CVE-2026-41075
RT is an open source, enterprise-grade issue and ticket tracking system. Version
|
| 44 |
CVE-2026-46586
Improper Control of Generation of Code ('Code Injection'), Improper Neutralizati
|
| 44 |
CVE-2026-9112
Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowe
|
| 44 |
CVE-2026-9114
Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a rem
|
| 44 |
CVE-2026-9118
Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed
|
| 44 |
CVE-2026-9120
Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remo
|
| 44 |
CVE-2026-8972
Privilege escalation in the WebRTC: Audio/Video component. This vulnerability wa
|
| 44 |
CVE-2026-8952
Privilege escalation in the Application Update component. This vulnerability was
|
| 44 |
CVE-2026-42455
Linkwarden is a self-hosted, open-source collaborative bookmark manager to colle
|
| 44 |
CVE-2026-43187
In the Linux kernel, the following vulnerability has been resolved:
xfs: delete
|
| 44 |
CVE-2026-43334
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth:
|
| 44 |
CVE-2026-43158
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix fr
|
| 44 |
CVE-2026-43283
In the Linux kernel, the following vulnerability has been resolved:
net: ethern
|
| 44 |
CVE-2026-28995
A logic issue was addressed with improved restrictions. This issue is fixed in i
|
| 44 |
CVE-2026-43018
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth:
|
| 44 |
CVE-2026-43232
In the Linux kernel, the following vulnerability has been resolved:
net: wan: f
|
| 44 |
CVE-2026-7641
The Import and export users and customers plugin for WordPress is vulnerable to
|
| 44 |
CVE-2026-36765
An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint
|
| 44 |
CVE-2025-53844
A out-of-bounds write vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, For
|
| 44 |
CVE-2026-9121
Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a
|
| 44 |
CVE-2026-44713
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 44 |
CVE-2026-9111
Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.179 allow
|
| 44 |
CVE-2026-30495
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) e
|
| 44 |
CVE-2026-3772
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery i
|
| 44 |
CVE-2026-9119
Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allow
|
| 44 |
CVE-2026-40403
Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacke
|
| 44 |
CVE-2026-42372
D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded tel
|
| 44 |
CVE-2026-43172
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwi
|
| 44 |
CVE-2026-43403
In the Linux kernel, the following vulnerability has been resolved:
nsfs: tight
|
| 44 |
CVE-2026-39461
libcasper(3) communicates with helper processes via UNIX domain sockets, and use
|
| 44 |
CVE-2026-43490
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vali
|
| 44 |
CVE-2026-31735
In the Linux kernel, the following vulnerability has been resolved:
iommupt: Fi
|
| 44 |
CVE-2026-43113
In the Linux kernel, the following vulnerability has been resolved:
wifi: wl125
|
| 44 |
CVE-2026-43112
In the Linux kernel, the following vulnerability has been resolved:
fs/smb/clie
|
| 44 |
CVE-2026-43110
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmf
|
| 44 |
CVE-2026-31706
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vali
|
| 44 |
CVE-2026-28947
A use-after-free issue was addressed with improved memory management. This issue
|
| 44 |
CVE-2026-6963
The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access du
|
| 44 |
CVE-2026-31709
In the Linux kernel, the following vulnerability has been resolved:
smb: client
|
| 44 |
CVE-2026-43249
In the Linux kernel, the following vulnerability has been resolved:
9p/xen: pro
|
| 44 |
CVE-2026-8587
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 all
|
| 44 |
CVE-2026-43322
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth:
|
| 44 |
CVE-2026-43239
In the Linux kernel, the following vulnerability has been resolved:
smb: client
|
| 44 |
CVE-2026-36956
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management i
|
| 44 |
CVE-2026-31739
In the Linux kernel, the following vulnerability has been resolved:
crypto: teg
|
| 44 |
CVE-2026-43391
In the Linux kernel, the following vulnerability has been resolved:
nsfs: tight
|
| 44 |
CVE-2026-43215
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix l
|
| 44 |
CVE-2026-43176
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89
|
| 44 |
CVE-2026-42289
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor
|
| 44 |
CVE-2026-43048
In the Linux kernel, the following vulnerability has been resolved:
HID: core:
|
| 44 |
CVE-2026-42503
gopls by default communicates via pipe. However, -port and -listen flags are sup
|
| 44 |
CVE-2026-31717
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vali
|
| 44 |
CVE-2026-28923
A logging issue was addressed with improved data redaction. This issue is fixed
|
| 44 |
CVE-2025-62624
A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could all
|
| 44 |
CVE-2026-34464
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. I
|
| 44 |
CVE-2026-34459
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. I
|
| 44 |
CVE-2026-37536
miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) conta
|
| 44 |
CVE-2026-36762
An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite
|
| 44 |
CVE-2025-62623
A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could all
|
| 44 |
CVE-2026-28978
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 44 |
CVE-2025-58074
A privilege escalation vulnerability exists during the installation of Norton Se
|
| 44 |
CVE-2025-43524
An access issue was addressed with additional sandbox restrictions. This issue i
|
| 44 |
CVE-2026-41489
Pi-hole is a DNS sinkhole that protects devices from unwanted content without in
|
| 44 |
CVE-2026-0073
In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB
|
| 44 |
CVE-2026-6389
IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application
|
| 44 |
CVE-2026-31069
BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerabilit
|
| 44 |
CVE-2026-44925
Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations
|
| 44 |
CVE-2026-20034
A vulnerability in the web-based management interface of Cisco Unity Connection
|
| 44 |
CVE-2026-7930
Insufficient validation of untrusted input in Cookies in Google Chrome prior to
|
| 44 |
CVE-2026-7928
Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allo
|
| 44 |
CVE-2026-7940
Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker
|
| 44 |
CVE-2026-45805
### Summary
The MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:440
|
| 44 |
CVE-2025-15024
Improper Control of Generation of Code ('Code Injection') vulnerability in Yorda
|
| 44 |
CVE-2026-6002
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 44 |
CVE-2026-5784
Improper neutralization of input during web page generation ('cross-site scripti
|
| 44 |
CVE-2025-12008
Authorization bypass through User-Controlled key vulnerability in APPYAP Technol
|
| 44 |
CVE-2025-15023
Incorrect Authorization vulnerability in Yordam Information Technology Consultin
|
| 44 |
CVE-2026-8000
Insufficient validation of untrusted input in ChromeDriver in Google Chrome on W
|
| 44 |
CVE-2026-9018
The Easy Elements for Elementor - Addons & Website Templates plugin for WordPres
|
| 44 |
CVE-2026-7973
Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allo
|
| 44 |
CVE-2026-48235
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/r
|
| 44 |
CVE-2026-3425
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File
|
| 44 |
CVE-2026-6406
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI)
|
| 44 |
CVE-2026-7988
Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remot
|
| 44 |
CVE-2026-42559
## Summary
Prior to version 1.4.0, the `rmcp` crate's Streamable HTTP server tr
|
| 44 |
CVE-2026-47125
## Summary
The `PUT /api/environments/{id}/templates/variables` endpoint, which
|
| 44 |
CVE-2026-36960
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management i
|
| 44 |
CVE-2026-46612
### Summary
The Fission `storagesvc` component registers archive CRUD handlers
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |