Total CVEs
5662
last 30 days
Avg Priority
35.4
of max 220
KEV
8
actively exploited
POC
771
public exploits
Unpatched
1098
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-25627
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to v
|
| 33 |
CVE-2026-33904
## Summary
A deadlock in the AMF's SCTP notification handler causes the entire
|
| 33 |
CVE-2026-33375
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-pri
|
| 33 |
CVE-2026-27879
A resample query can be used to trigger out-of-memory crashes in Grafana.
|
| 33 |
CVE-2025-53847
A missing authentication for critical function vulnerability in Fortinet FortiOS
|
| 33 |
CVE-2026-28375
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
|
| 33 |
CVE-2026-3119
Under certain conditions, `named` may crash when processing a correctly signed q
|
| 33 |
CVE-2026-4666
The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification
|
| 33 |
CVE-2026-1672
The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Plug
|
| 33 |
CVE-2026-25219
The `access_key` and `connection_string` connection properties were not marked a
|
| 33 |
CVE-2026-27877
When using public dashboards and direct data-sources, all direct data-sources' p
|
| 33 |
CVE-2026-3861
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-
|
| 33 |
CVE-2026-33345
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the proj
|
| 33 |
CVE-2026-4668
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress i
|
| 33 |
CVE-2026-3773
The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQ
|
| 33 |
CVE-2026-5901
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727
|
| 33 |
CVE-2026-39632
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandbl
|
| 33 |
CVE-2026-39633
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental g
|
| 33 |
CVE-2026-39641
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyr
|
| 33 |
CVE-2026-4728
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affec
|
| 33 |
CVE-2026-24029
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is ena
|
| 32 |
CVE-2026-2377
A flaw was found in mirror-registry. Authenticated users can exploit the log exp
|
| 32 |
CVE-2026-40896
OpenProject is open-source, web-based project management software. Prior to vers
|
| 32 |
CVE-2026-40293
OpenFGA is an authorization/permission engine built for developers. In versions
|
| 32 |
CVE-2026-34897
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-35403
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
|
| 32 |
CVE-2025-66954
A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows
|
| 32 |
CVE-2025-55265
HCL Aftermarket DPC is affected by File Discovery which allows attacker could ex
|
| 32 |
CVE-2026-34756
### Summary
A Denial of Service vulnerability exists in the vLLM OpenAI-compatib
|
| 32 |
CVE-2025-15636
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 32 |
CVE-2026-34755
## Summary
The `VideoMediaIO.load_base64()` method at `vllm/multimodal/media/vi
|
| 32 |
CVE-2026-4278
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-S
|
| 32 |
CVE-2026-5742
The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in
|
| 32 |
CVE-2026-4429
The OSM - OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-3659
The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2025-13535
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Con
|
| 32 |
CVE-2026-3618
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-34716
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 32 |
CVE-2026-4336
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-4303
The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-4025
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-4075
The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored C
|
| 32 |
CVE-2026-3142
The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vu
|
| 32 |
CVE-2026-2305
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-5590
A race condition during TCP connection teardown can cause tcp_recv() to operate
|
| 32 |
CVE-2026-33335
Vikunja is an open-source self-hosted task management platform. Starting in vers
|
| 32 |
CVE-2026-4300
The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 32 |
CVE-2026-3600
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-1559
The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-4073
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-4333
The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Stor
|
| 32 |
CVE-2026-4059
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-1263
The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in
|
| 32 |
CVE-2026-5357
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-4895
The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulne
|
| 32 |
CVE-2026-4785
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 32 |
CVE-2026-4341
The Prime Slider - Addons for Elementor plugin for WordPress is vulnerable to St
|
| 32 |
CVE-2026-3513
The TableOn - WordPress Posts Table Filterable plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-4655
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stor
|
| 32 |
CVE-2026-33679
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 32 |
CVE-2026-33675
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 32 |
CVE-2026-4544
A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unk
|
| 32 |
CVE-2026-3998
The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-4389
The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vul
|
| 32 |
CVE-2026-3427
The Yoast SEO - Advanced SEO with real-time guidance and built-in AI plugin for
|
| 32 |
CVE-2026-5162
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-5711
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-4011
The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 32 |
CVE-2026-1834
The Ibtana - WordPress Website Builder plugin for WordPress is vulnerable to Sto
|
| 32 |
CVE-2026-5506
The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t
|
| 32 |
CVE-2026-4005
The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-3498
The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-2480
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-4576
A vulnerability has been found in code-projects Exam Form Submission 1.0. Impact
|
| 32 |
CVE-2026-4577
A vulnerability was found in code-projects Exam Form Submission 1.0. The affecte
|
| 32 |
CVE-2026-4578
A vulnerability was determined in code-projects Exam Form Submission 1.0. The im
|
| 32 |
CVE-2026-4575
A flaw has been found in code-projects Exam Form Submission 1.0. This issue affe
|
| 32 |
CVE-2026-1396
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to S
|
| 32 |
CVE-2025-6229
The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder,
|
| 32 |
CVE-2026-2437
The WP Travel Engine - Tour Booking Plugin - Tour Operator Software plugin for W
|
| 32 |
CVE-2026-3239
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-3005
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2026-4766
The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2025-71276
SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and conta
|
| 32 |
CVE-2026-5508
The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 32 |
CVE-2026-0894
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to St
|
| 32 |
CVE-2026-3311
The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widget
|
| 32 |
CVE-2026-4871
The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Si
|
| 32 |
CVE-2026-2949
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-5717
The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |