Total CVEs
5697
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
777
public exploits
Unpatched
1569
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 47 |
CVE-2026-25377
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-24993
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-25371
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-32499
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-22484
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-31920
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 47 |
CVE-2026-28827
A parsing issue in the handling of directory paths was addressed with improved p
|
| 47 |
CVE-2026-20688
A path handling issue was addressed with improved validation. This issue is fixe
|
| 47 |
CVE-2026-32917
OpenClaw before 2026.3.13 contains a remote command injection vulnerability in t
|
| 47 |
CVE-2026-4744
Out-of-bounds Read vulnerability in rizonesoft Notepad3 (scintilla/oniguruma/sr
|
| 47 |
CVE-2026-32915
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allow
|
| 47 |
CVE-2026-1346
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 46 |
CVE-2026-33784
A Use of Default Password vulnerability in the Juniper Networks
Support Insigh
|
| 46 |
CVE-2026-5194
Missing hash/digest size and OID checks allow digests smaller than allowed when
|
| 46 |
CVE-2026-35178
Workbench is a suite of tools for administrators and developers to interact with
|
| 46 |
CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-st
|
| 46 |
CVE-2026-40111
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks
|
| 46 |
CVE-2025-39666
Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46
|
| 46 |
CVE-2026-33698
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack
|
| 46 |
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces
|
| 46 |
CVE-2026-40177
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run pr
|
| 46 |
CVE-2026-31845
A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in
|
| 46 |
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal
|
| 46 |
CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 46 |
CVE-2026-40154
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remo
|
| 46 |
CVE-2026-4415
Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulner
|
| 46 |
CVE-2026-30880
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 46 |
CVE-2026-34202
---
# Remote Denial of Service via Crafted V5 Transactions
## Summary
A vulner
|
| 46 |
CVE-2026-35053
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-34759
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-28766
A specific endpoint exposes all user account information for registered Gardyn u
|
| 46 |
CVE-2026-32916
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vuln
|
| 46 |
CVE-2026-35615
### Executive Summary:
The path validation has a critical logic bug: it checks f
|
| 46 |
CVE-2026-39322
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and ea
|
| 46 |
CVE-2026-32865
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verificat
|
| 46 |
CVE-2026-34714
Vim before 9.2.0272 allows code execution that happens immediately upon opening
|
| 46 |
CVE-2026-33322
### Impact
_What kind of vulnerability is it? Who is impacted?_
A JWT algorithm
|
| 46 |
CVE-2026-32918
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the
|
| 46 |
CVE-2025-15620
HiOS Switch Platform contains a denial-of-service vulnerability in the web inter
|
| 46 |
CVE-2026-28205
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Def
|
| 46 |
CVE-2026-35556
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that
|
| 46 |
CVE-2026-35573
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path tra
|
| 46 |
CVE-2026-0545
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not
|
| 46 |
CVE-2026-29103
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 46 |
CVE-2026-32238
OpenEMR is a free and open source electronic health records and medical practice
|
| 46 |
CVE-2026-30877
baserCMS is a website development framework. Prior to version 5.2.3, there is an
|
| 46 |
CVE-2026-21861
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS co
|
| 46 |
CVE-2026-4283
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized acc
|
| 46 |
CVE-2026-34177
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLo
|
| 46 |
CVE-2026-39339
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critica
|
| 46 |
CVE-2026-34745
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3
|
| 46 |
CVE-2026-34179
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in
|
| 46 |
CVE-2026-25770
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 46 |
CVE-2026-33024
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side
|
| 46 |
CVE-2026-27876
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to
|
| 46 |
CVE-2026-33615
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection
|
| 46 |
CVE-2026-33351
### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in `plugi
|
| 46 |
CVE-2026-34456
Reviactyl is an open-source game server management panel built using Laravel, Re
|
| 46 |
CVE-2025-69808
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unaut
|
| 46 |
CVE-2026-35561
Insufficient authentication security controls in the browser-based authenticatio
|
| 46 |
CVE-2026-33152
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 46 |
CVE-2026-23489
Fields is a GLPI plugin that allows users to add custom fields on GLPI items for
|
| 46 |
CVE-2026-32211
Missing authentication for critical function in Azure MCP Server allows an unaut
|
| 46 |
CVE-2025-71058
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses withou
|
| 46 |
CVE-2026-39847
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0
|
| 46 |
CVE-2026-32817
Admidio is an open-source user management solution. In versions 5.0.0 through 5.
|
| 46 |
CVE-2026-33419
### Impact
_What kind of vulnerability is it? Who is impacted?_
MinIO AIStor's
|
| 46 |
CVE-2026-34566
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34558
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34565
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34563
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34557
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34568
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-34564
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-32633
## Summary
In Central Browser mode, the `/api/4/serverslist` endpoint returns r
|
| 46 |
CVE-2026-34567
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-33340
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Mult
|
| 46 |
CVE-2026-25447
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonat
|
| 46 |
CVE-2026-34178
In Canonical LXD before 6.8, the backup import path validates project restrictio
|
| 46 |
CVE-2026-34532
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 46 |
CVE-2026-26026
GLPI is a free asset and IT management software package. From 11.0.0 to before 1
|
| 46 |
CVE-2026-32573
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio
|
| 46 |
CVE-2026-4750
Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof
|
| 46 |
CVE-2026-4753
Out-of-bounds Read vulnerability in slajerek RetroDebugger.This issue affects Re
|
| 46 |
CVE-2026-32298
The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by
|
| 46 |
CVE-2026-33640
Outline is a service that allows for collaborative documentation. Outline implem
|
| 46 |
CVE-2026-25534
### Impact
Spinnaker updated URL Validation logic on user input to provide sanit
|
| 46 |
CVE-2026-34751
### Impact
A vulnerability in the password recovery flow could allow an unauthe
|
| 46 |
CVE-2026-27962
## Description
### Summary
A JWK Header Injection vulnerability in `authlib`'s
|
| 46 |
CVE-2026-27067
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile A
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |