Total CVEs
5752
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
766
public exploits
Unpatched
1109
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 28 |
CVE-2026-35477
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, th
|
| 28 |
CVE-2026-27286
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based
|
| 28 |
CVE-2026-27258
DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write v
|
| 28 |
CVE-2026-27301
Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer
|
| 28 |
CVE-2026-27300
Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninit
|
| 28 |
CVE-2026-4948
A flaw was found in firewalld. A local unprivileged user can exploit this vulner
|
| 28 |
CVE-2026-28881
A privacy issue was addressed by moving sensitive data. This issue is fixed in m
|
| 28 |
CVE-2026-39856
osslsigncode is a tool that implements Authenticode signing and timestamping. Pr
|
| 28 |
CVE-2026-28890
An out-of-bounds read was addressed with improved bounds checking. This issue is
|
| 28 |
CVE-2026-39855
osslsigncode is a tool that implements Authenticode signing and timestamping. Pr
|
| 28 |
CVE-2026-28845
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-27222
Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vuln
|
| 28 |
CVE-2026-20670
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-28877
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-27285
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based
|
| 28 |
CVE-2026-28870
An information leakage was addressed with additional validation. This issue is f
|
| 28 |
CVE-2026-20633
This issue was addressed with improved handling of symlinks. This issue is fixed
|
| 28 |
CVE-2026-28831
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-28825
An out-of-bounds write issue was addressed with improved bounds checking. This i
|
| 28 |
CVE-2026-40915
A flaw was found in GIMP. A remote attacker could exploit an integer overflow vu
|
| 28 |
CVE-2026-39464
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, U
|
| 28 |
CVE-2026-27315
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sen
|
| 28 |
CVE-2026-40159
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Mode
|
| 28 |
CVE-2026-40311
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-3777
The application does not properly validate the lifetime and validity of internal
|
| 28 |
CVE-2026-28892
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 28 |
CVE-2026-3776
The application does not validate the presence of required appearance (AP) data
|
| 28 |
CVE-2026-28829
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 28 |
CVE-2026-27815
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-27816
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-27828
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO151
|
| 28 |
CVE-2026-33853
NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.Thi
|
| 28 |
CVE-2026-40918
A flaw was found in GIMP. Processing a specially crafted PVR image file with lar
|
| 28 |
CVE-2026-33855
Integer Overflow or Wraparound vulnerability in MolotovCherry Android-ImageMagic
|
| 28 |
CVE-2025-65116
Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Window
|
| 28 |
CVE-2026-5745
A flaw was found in libarchive. A NULL pointer dereference vulnerability exists
|
| 28 |
CVE-2026-4897
A flaw was found in polkit. A local user can exploit this by providing a special
|
| 28 |
CVE-2026-33905
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-40183
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-33902
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-34933
Avahi is a system which facilitates service discovery on a local network via the
|
| 28 |
CVE-2026-34447
Open Neural Network Exchange (ONNX) is an open standard for machine learning int
|
| 28 |
CVE-2025-9497
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allo
|
| 28 |
CVE-2026-40310
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-34730
### Summary
Copier's `_external_data` feature allows a template to load YAML fi
|
| 28 |
CVE-2026-29111
systemd, a system and service manager, (as PID 1) hits an assert and freezes exe
|
| 28 |
CVE-2026-6245
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_
|
| 28 |
CVE-2026-20161
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an
|
| 28 |
CVE-2026-32288
tar.Reader can allocate an unbounded amount of memory when reading a maliciously
|
| 28 |
CVE-2026-39392
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 28 |
CVE-2025-48651
N/A
|
| 28 |
CVE-2026-39984
### Authorization bypass via certificate bag manipulation in sigstore/timestamp-
|
| 28 |
CVE-2025-70795
STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an ad
|
| 28 |
CVE-2026-34403
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.
|
| 28 |
CVE-2025-55264
HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Cha
|
| 28 |
CVE-2026-5600
A new API endpoint introduced in pretix 2025 that is supposed to
return all che
|
| 28 |
CVE-2026-39390
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 27 |
CVE-2026-5355
A vulnerability has been found in Trendnet TEW-657BRM 1.00.1. Affected by this i
|
| 27 |
CVE-2026-32629
### Summary
An unauthenticated attacker can submit a guest FAQ with an email add
|
| 27 |
CVE-2026-5831
A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impa
|
| 27 |
CVE-2026-6141
A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up t
|
| 27 |
CVE-2026-5547
A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected i
|
| 27 |
CVE-2026-4914
Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated
|
| 27 |
CVE-2026-3358
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-33119
User interface (ui) misrepresentation of critical information in Microsoft Edge
|
| 27 |
CVE-2026-4124
The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all ve
|
| 27 |
CVE-2026-33400
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 27 |
CVE-2026-32507
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux a
|
| 27 |
CVE-2026-32511
Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allow
|
| 27 |
CVE-2026-22569
An incorrect startup configuration of affected versions of Zscaler Client Connec
|
| 27 |
CVE-2026-40155
The Auth0 Next.js SDK is a library for implementing user authentication in Next.
|
| 27 |
CVE-2026-34442
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 27 |
CVE-2026-1509
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordP
|
| 27 |
CVE-2026-2712
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of fun
|
| 27 |
CVE-2026-33628
## Vulnerability Details
Invoice line item descriptions in Invoice Ninja v5.13.
|
| 27 |
CVE-2026-34475
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain u
|
| 27 |
CVE-2026-35565
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache St
|
| 27 |
CVE-2026-32562
Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page
|
| 27 |
CVE-2026-29840
JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerab
|
| 27 |
CVE-2026-20108
A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN M
|
| 27 |
CVE-2026-34213
Docmost is open-source collaborative wiki and documentation software. Starting i
|
| 27 |
CVE-2026-34071
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 27 |
CVE-2026-34903
Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Inc
|
| 27 |
CVE-2026-35602
## Summary
The Vikunja file import endpoint uses the attacker-controlled `Size`
|
| 27 |
CVE-2026-33406
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 27 |
CVE-2026-4335
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cros
|
| 27 |
CVE-2026-5895
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55
|
| 27 |
CVE-2026-34753
### Summary
A Server Side Request Forgery (SSRF) vulnerability in `download_byt
|
| 27 |
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions
|
| 27 |
CVE-2026-35540
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |