Skip to main content

Security Dashboard

7d 14d 30d 90d
Total CVEs
6303
last 30 days
Avg Priority
30.6
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
937
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Patch Now — Known Exploited Vulnerabilities

136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
CRITICAL
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
CRITICAL
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows 
HIGH
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
HIGH
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
CRITICAL
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
HIGH
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
CRITICAL
118
CVE-2026-45321
## Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
CRITICAL
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
CRITICAL
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
CRITICAL

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
49 CVE-2026-43465
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e:
49 CVE-2026-43185
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix
49 CVE-2026-43198
In the Linux kernel, the following vulnerability has been resolved: tcp: fix po
49 CVE-2026-7414
Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in
49 CVE-2026-37534
Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e53
49 CVE-2026-38428
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occur
49 CVE-2026-8091
Incorrect boundary conditions in the Audio/Video: Playback component. This vulne
49 CVE-2026-8507
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) wr
49 CVE-2026-8721
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with e
49 CVE-2026-8094
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR
49 CVE-2026-8108
The installation of Fuji Tellus adds a driver to the kernel which grants all use
49 CVE-2026-36458
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of
49 CVE-2026-46817
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (compone
49 CVE-2026-42731
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verifi
49 CVE-2026-6508
Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Re
49 CVE-2026-48689
FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buf
49 CVE-2025-12686
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerabi
49 CVE-2026-44649
## Resolution SillyTavern 1.18.0 now includes a configuration option to limit w
49 CVE-2026-7524
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to im
49 CVE-2026-8364
Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe)
49 CVE-2026-25879
# Security Vulnerability Report: Prompt to SQL Injection leading to RCE in lates
49 CVE-2026-36829
An authentication bypass vulnerability exists in the embedded HTTP server of Pan
49 CVE-2026-8363
A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when p
49 CVE-2026-46670
### Summary An unauthenticated SQL injection in the Bazar form-import path (`Fo
49 CVE-2026-9642
There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthentica
49 CVE-2026-46562
# Remote Code Execution via Mission Database algorithm override ## Summary The
49 CVE-2026-48687
FastNetMon Community Edition through 1.2.9 contains an OS command injection vuln
49 CVE-2026-8175
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM A
49 CVE-2025-71210
A vulnerability in the Trend Micro Apex One management console could allow a rem
49 CVE-2025-71211
A vulnerability in the Trend Micro Apex One management console could allow a rem
49 CVE-2026-38703
A command injection vulnerability exists in the ZeroTier VPN feature of InHand N
49 CVE-2026-45039
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta
49 CVE-2026-48207
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializ
49 CVE-2026-42482
A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper()
49 CVE-2026-42483
A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allow
49 CVE-2026-4883
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload du
49 CVE-2026-45697
### Impact - Unauthenticated users could submit crafted values into Hidden field
49 CVE-2026-8760
The Login with OTP plugin for WordPress is vulnerable to authentication bypass i
49 CVE-2026-46614
### Summary The Fission router registers an internal-style route - `/fission-fu
49 CVE-2026-45288
## Summary Marten's full-text search APIs interpolated the user-supplied `regCo
49 CVE-2026-38704
A command injection vulnerability exists in the WireGuard VPN feature of InHand
49 CVE-2026-34311
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Ora
49 CVE-2026-6960
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file upload
49 CVE-2026-8809
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privi
49 CVE-2026-41497
PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for Pra
49 CVE-2026-5118
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation
49 CVE-2026-37431
Beauty Parlour Management System v1.1 was discovered to contain a SQL injection
49 CVE-2026-38702
A command injection vulnerability exists in the Admin Access feature of InHand N
49 CVE-2026-42484
A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashca
49 CVE-2026-38707
A command injection vulnerability exists in the IPSec VPN feature of InHand Netw
49 CVE-2026-45695
## Summary Kopia's HTTP server, when started with `--without-password `, accept
49 CVE-2026-7593
A security vulnerability has been detected in Sunwood-ai-labs command-executor-m
49 CVE-2026-7785
A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94
49 CVE-2026-7812
A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391
49 CVE-2026-9367
A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f1948
49 CVE-2026-7698
A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.
48 CVE-2026-7446
A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects
48 CVE-2026-7443
A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affecte
48 CVE-2026-42090
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to N
48 CVE-2026-2587
A critical Remote Code Execution (RCE) vulnerability was identified in the serve
48 CVE-2026-41615
Exposure of sensitive information to an unauthorized actor in Microsoft Authenti
48 CVE-2026-8043
External control of a file name in Ivanti Xtraction before version 2026.2 allows
48 CVE-2026-43899
DeepChat is an open-source artificial intelligence agent platform that unifies m
48 CVE-2026-8511
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote a
48 CVE-2026-8580
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote
48 CVE-2026-8959
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 compone
48 CVE-2026-43941
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ft
48 CVE-2026-39821
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels t
48 CVE-2026-35435
Improper access control in Azure AI Foundry M365 published agents allows an unau
48 CVE-2026-42048
## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (
48 CVE-2026-2611
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin
48 CVE-2026-5166
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
48 CVE-2026-42880
### Summary There is a missing authorization and data-masking gap in Argo CD's S
48 CVE-2026-44547
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The f
48 CVE-2026-42087
OpenC3 COSMOS provides the functionality needed to send commands to and receive
48 CVE-2026-42088
OpenC3 COSMOS provides the functionality needed to send commands to and receive
48 CVE-2026-34263
Due to improper Spring Security configuration, SAP Commerce cloud allows an unau
48 CVE-2026-25293
Buffer overflow due to incorrect authorization in PLC FW
48 CVE-2026-7910
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote
48 CVE-2026-34260
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerabil
48 CVE-2026-36760
An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.1
48 CVE-2026-45323
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3
48 CVE-2026-8670
Insufficient session expiration vulnerability in syslink software AG Avantra on
48 CVE-2026-46703
#### Summary Boxlite is a sandbox service that allows users to create lightweig
48 CVE-2026-41589
Wish is an SSH server with defaults and a collection of middlewares. From versio
48 CVE-2026-7908
Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a r
48 CVE-2026-44482
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Las
48 CVE-2026-44211
## Summary The `kanban` npm package (used by the `cline` CLI) starts a WebSocke
48 CVE-2026-45374
### Summary The `task_create` tool spawns durable sub-agents that inherit two i
48 CVE-2026-8953
Sandbox escape due to use-after-free in the Disability Access APIs component. Th

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 776d
CVE-2019-19781 CRITICAL 9.8 223 2344d
CVE-2020-5902 CRITICAL 9.8 223 2157d
CVE-2021-35464 CRITICAL 9.8 223 1771d
CVE-2020-10189 CRITICAL 9.8 223 2274d
CVE-2012-4681 CRITICAL 9.8 223 5021d
CVE-2022-42475 CRITICAL 9.8 223 1242d
CVE-2023-3519 CRITICAL 9.8 223 1044d
CVE-2015-7450 CRITICAL 9.8 222 3799d
CVE-2023-34048 CRITICAL 9.8 222 946d
Prev 5 / 71 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy