Total CVEs
5724
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
769
public exploits
Unpatched
1107
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 31 |
CVE-2026-34257
Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP,
|
| 31 |
CVE-2026-30661
iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Mana
|
| 31 |
CVE-2026-35539
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exist
|
| 31 |
CVE-2026-35645
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the g
|
| 31 |
CVE-2026-4305
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable t
|
| 31 |
CVE-2026-5960
A weakness has been identified in code-projects Patient Record Management System
|
| 31 |
CVE-2026-20104
A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 92
|
| 31 |
CVE-2026-5847
A vulnerability has been found in code-projects Movie Ticketing System 1.0. Impa
|
| 31 |
CVE-2026-6000
A vulnerability was found in code-projects Online Library Management System 1.0.
|
| 31 |
CVE-2026-1877
The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request
|
| 31 |
CVE-2026-33933
OpenEMR is a free and open source electronic health records and medical practice
|
| 31 |
CVE-2025-6024
The authentication endpoint fails to encode user-supplied input before rendering
|
| 31 |
CVE-2026-39336
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored c
|
| 31 |
CVE-2026-34729
### Summary
The sanitization pipeline for FAQ content is:
1. `Filter::filterVar(
|
| 31 |
CVE-2026-28297
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-
|
| 31 |
CVE-2026-39335
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is S
|
| 31 |
CVE-2026-35466
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to disp
|
| 31 |
CVE-2026-30162
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the
|
| 31 |
CVE-2026-34739
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Us
|
| 31 |
CVE-2026-2349
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-33883
### Impact
The `user:reset_password_form` tag could render user-input directly
|
| 31 |
CVE-2026-34405
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6
|
| 31 |
CVE-2026-3217
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-30082
Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature o
|
| 31 |
CVE-2026-4754
CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects An
|
| 31 |
CVE-2025-45806
A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha
|
| 31 |
CVE-2026-5754
Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vA
|
| 31 |
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 31 |
CVE-2026-40186
ApostropheCMS is an open-source Node.js content management system. A regression
|
| 31 |
CVE-2026-3528
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-3529
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-34231
## Summary
A Cross-site Scripting (XSS) vulnerability exists in the `{% attrs %
|
| 31 |
CVE-2025-65132
alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS
|
| 31 |
CVE-2025-65136
In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exi
|
| 31 |
CVE-2024-51226
A stored cross-site scripting (XSS) vulnerability in the component /admin/search
|
| 31 |
CVE-2026-34206
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individu
|
| 31 |
CVE-2026-34229
Emlog is an open source website building system. Prior to version 2.6.8, there i
|
| 31 |
CVE-2025-69993
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scriptin
|
| 31 |
CVE-2026-40255
### Impact
The `response.redirect().back()` method in `@adonisjs/http-server` i
|
| 31 |
CVE-2026-29934
A reflected cross-site scripting (XSS) vulnerability in the /admin/menus compone
|
| 31 |
CVE-2025-61166
An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect
|
| 31 |
CVE-2026-4091
The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery
|
| 31 |
CVE-2026-6203
The User Registration & Membership plugin for WordPress is vulnerable to Open Re
|
| 31 |
CVE-2026-34237
### Summary
**Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )**
- ht
|
| 31 |
CVE-2025-70844
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject
|
| 31 |
CVE-2026-20115
A vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote,
|
| 31 |
CVE-2026-20085
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 31 |
CVE-2026-40333
libgphoto2 is a camera access and control library. In versions up to and includi
|
| 31 |
CVE-2026-20041
A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights coul
|
| 31 |
CVE-2026-29933
A reflected cross-site scripting (XSS) vulnerability in the /index/login.html co
|
| 31 |
CVE-2026-26460
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.
|
| 31 |
CVE-2026-30252
Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php e
|
| 31 |
CVE-2026-30251
A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php end
|
| 31 |
CVE-2026-3355
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Refle
|
| 31 |
CVE-2026-4032
The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 31 |
CVE-2025-63238
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15
|
| 31 |
CVE-2026-33170
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newl
|
| 31 |
CVE-2025-52204
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the cu
|
| 31 |
CVE-2025-61190
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpa
|
| 31 |
CVE-2026-5896
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote
|
| 31 |
CVE-2026-40919
A flaw was found in GIMP. This vulnerability, a buffer overflow in the `file-sea
|
| 31 |
CVE-2026-34083
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 31 |
CVE-2026-35195
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 31 |
CVE-2026-1852
The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cros
|
| 31 |
CVE-2026-39956
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86
|
| 31 |
CVE-2026-35491
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics fo
|
| 31 |
CVE-2026-1116
A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` met
|
| 31 |
CVE-2026-4647
A flaw was found in the GNU Binutils BFD library, a widely used component for ha
|
| 31 |
CVE-2026-32289
Context was not properly tracked across template branches for JS template litera
|
| 31 |
CVE-2026-26058
Zulip is an open-source team collaboration tool. From version 1.4.0 to before ve
|
| 31 |
CVE-2026-40302
**Summary**
The proxyUi template engine uses Go's text/template (which performs
|
| 31 |
CVE-2026-29969
A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoin
|
| 31 |
CVE-2026-40340
libgphoto2 is a camera access and control library. Versions up to and including
|
| 31 |
CVE-2026-34852
Stack overflow vulnerability in the media platform.
Impact: Successful exploitat
|
| 31 |
CVE-2026-3635
Summary
When trustProxy is configured with a restrictive trust function (e.g., a
|
| 31 |
CVE-2026-25854
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in
|
| 30 |
CVE-2026-32903
OpenClaw before 2026.3.2 contains a symlink traversal vulnerability in stageSand
|
| 30 |
CVE-2026-35670
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that a
|
| 30 |
CVE-2026-33952
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 30 |
CVE-2026-34765
### Impact
When a renderer calls `window.open()` with a target name, Electron di
|
| 30 |
CVE-2026-20136
A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisc
|
| 30 |
CVE-2026-3446
When calling base64.b64decode() or related functions the decoding process would
|
| 30 |
CVE-2026-28214
Firebird is an open-source relational database management system. In versions pr
|
| 30 |
CVE-2026-35622
OpenClaw before 2026.3.22 contains an improper authentication verification vulne
|
| 30 |
CVE-2026-4619
Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attack
|
| 30 |
CVE-2026-5446
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identic
|
| 30 |
CVE-2026-1079
A native messaging host vulnerability in Pega Browser Extension (PBE) affects us
|
| 30 |
CVE-2026-34210
### Impact
The `stripe/charge` payment method did not check Stripe's `Idempoten
|
| 30 |
CVE-2026-5170
A user with access to the cluster with a limited set of privilege actions can tr
|
| 30 |
CVE-2026-26060
### Summary
A vulnerability in Fleet’s password management logic could allow pr
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |