Total CVEs
5753
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
761
public exploits
Unpatched
1109
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-29070
Open WebUI is a self-hosted artificial intelligence platform designed to operate
|
| 27 |
CVE-2026-4065
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and
|
| 27 |
CVE-2026-35540
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C
|
| 27 |
CVE-2026-33912
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-6383
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic
|
| 27 |
CVE-2026-35600
## Summary
Task titles are embedded directly into Markdown link syntax in overd
|
| 27 |
CVE-2026-2595
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to S
|
| 27 |
CVE-2026-29598
Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_use
|
| 27 |
CVE-2026-34974
### Summary
The regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can b
|
| 27 |
CVE-2026-33911
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-40212
OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scri
|
| 27 |
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
|
| 27 |
CVE-2026-39367
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 27 |
CVE-2025-61886
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 27 |
CVE-2026-3215
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-3212
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-3369
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vul
|
| 27 |
CVE-2026-39380
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2026-31153
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows atta
|
| 27 |
CVE-2026-32273
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33683
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-34848
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.
|
| 27 |
CVE-2026-2348
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-40112
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoin
|
| 27 |
CVE-2026-34212
Docmost is open-source collaborative wiki and documentation software. In version
|
| 27 |
CVE-2026-33889
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-33978
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to v
|
| 27 |
CVE-2026-2505
The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 27 |
CVE-2025-1794
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 27 |
CVE-2026-32893
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cr
|
| 27 |
CVE-2026-35046
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 27 |
CVE-2026-33742
Invoice Ninja is a source-available invoice, quote, project and time-tracking ap
|
| 27 |
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-27288
Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cr
|
| 27 |
CVE-2026-34624
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-34623
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-34625
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-40479
### Summary
The client-side `escapeForHtml()` function in `KimaiEscape.js`, intr
|
| 27 |
CVE-2026-1561
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 27 |
CVE-2026-21724
A vulnerability has been discovered in Grafana OSS where an authorization bypass
|
| 27 |
CVE-2026-2483
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cro
|
| 27 |
CVE-2026-20114
A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE
|
| 27 |
CVE-2026-34584
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From
|
| 27 |
CVE-2026-34590
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST
|
| 27 |
CVE-2026-34051
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-1243
IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scrip
|
| 27 |
CVE-2026-34362
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-39350
Istio is an open platform to connect, manage, and secure microservices. In versi
|
| 27 |
CVE-2026-4274
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.
|
| 27 |
CVE-2026-32508
Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halste
|
| 27 |
CVE-2026-32506
Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon
|
| 27 |
CVE-2025-66485
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, c
|
| 27 |
CVE-2026-32712
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2026-32510
Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen
|
| 27 |
CVE-2026-32509
Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey all
|
| 27 |
CVE-2026-1015
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to ser
|
| 27 |
CVE-2026-3781
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via t
|
| 27 |
CVE-2025-14912
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to ser
|
| 27 |
CVE-2025-14857
An improper access control vulnerability exists in Semtech LoRa LR11xxx transcei
|
| 27 |
CVE-2026-21011
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr
|
| 27 |
CVE-2026-33887
### Impact
Authenticated Control Panel users could view entry revisions for any
|
| 27 |
CVE-2026-4401
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Fo
|
| 27 |
CVE-2026-4056
The User Registration & Membership plugin for WordPress is vulnerable to unautho
|
| 27 |
CVE-2026-33915
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-34749
Payload is a free and open source headless content management system. Prior to v
|
| 27 |
CVE-2026-31352
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Man
|
| 27 |
CVE-2025-70365
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due
|
| 27 |
CVE-2026-31313
An authenticated stored cross-site scripting (XSS) vulnerability in the creation
|
| 27 |
CVE-2026-31350
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2
|
| 27 |
CVE-2026-31353
An authenticated stored cross-site scripting (XSS) vulnerability in the Category
|
| 27 |
CVE-2025-70936
Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability i
|
| 27 |
CVE-2026-40740
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting
|
| 27 |
CVE-2024-46879
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request
|
| 27 |
CVE-2024-46878
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-
|
| 27 |
CVE-2026-24069
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user ac
|
| 27 |
CVE-2026-39504
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect a
|
| 27 |
CVE-2026-39526
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStr
|
| 27 |
CVE-2026-39607
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exp
|
| 27 |
CVE-2026-39614
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player
|
| 27 |
CVE-2026-39645
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPaymen
|
| 27 |
CVE-2026-39647
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for
|
| 27 |
CVE-2026-39695
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allo
|
| 27 |
CVE-2026-4332
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 27 |
CVE-2026-35207
dde-control-center is the control panel of DDE, the Deepin Desktop Environment.
|
| 27 |
CVE-2026-31354
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the
|
| 27 |
CVE-2026-4364
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-1636
A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge th
|
| 27 |
CVE-2026-34777
### Impact
When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`,
|
| 27 |
CVE-2025-63743
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management sy
|
| 27 |
CVE-2026-40948
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did n
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |