Total CVEs
5697
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
777
public exploits
Unpatched
1569
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2026-4455
Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed
|
| 44 |
CVE-2026-35182
Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing
|
| 44 |
CVE-2026-4439
Out of bounds memory access in WebGL in Google Chrome on Android prior to 146.0.
|
| 44 |
CVE-2026-4448
Heap buffer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a
|
| 44 |
CVE-2026-4440
Out of bounds read and write in WebGL in Google Chrome prior to 146.0.7680.153 a
|
| 44 |
CVE-2026-4445
Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remo
|
| 44 |
CVE-2026-4459
Out of bounds read and write in WebAudio in Google Chrome prior to 146.0.7680.15
|
| 44 |
CVE-2026-5912
Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a rem
|
| 44 |
CVE-2026-4442
Heap buffer overflow in CSS in Google Chrome prior to 146.0.7680.153 allowed a r
|
| 44 |
CVE-2026-4446
Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remo
|
| 44 |
CVE-2026-27893
vLLM is an inference and serving engine for large language models (LLMs). Starti
|
| 44 |
CVE-2026-5292
Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed
|
| 44 |
CVE-2026-28805
## Description
Multiple AJAX select handlers in OpenSTAManager <= 2.10.1 are vu
|
| 44 |
CVE-2026-4443
Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.153 allowe
|
| 44 |
CVE-2026-35395
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web g
|
| 44 |
CVE-2026-32321
ClipBucket v5 is an open source video sharing platform. An authenticated time-ba
|
| 44 |
CVE-2026-29099
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 44 |
CVE-2026-39318
ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupP
|
| 44 |
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39326
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-35470
## Description
Six `confronta_righe.php` files across different modules in Open
|
| 44 |
CVE-2026-33755
Group-Office is an enterprise customer relationship management and groupware too
|
| 44 |
CVE-2026-30881
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains
|
| 44 |
CVE-2026-33025
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injectio
|
| 44 |
CVE-2026-39323
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical
|
| 44 |
CVE-2026-39327
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39329
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39317
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL inje
|
| 44 |
CVE-2026-39334
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 44 |
CVE-2026-39319
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second o
|
| 44 |
CVE-2026-4444
Stack buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed
|
| 44 |
CVE-2026-4463
Heap buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed
|
| 44 |
CVE-2026-3334
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'o
|
| 44 |
CVE-2026-33917
OpenEMR is a free and open source electronic health records and medical practice
|
| 44 |
CVE-2026-33075
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fa
|
| 44 |
CVE-2026-33373
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Sit
|
| 44 |
CVE-2026-32888
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 44 |
CVE-2026-25358
Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Ob
|
| 44 |
CVE-2026-31968
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
|
| 44 |
CVE-2026-25359
Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum all
|
| 44 |
CVE-2026-27045
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite
|
| 44 |
CVE-2026-23395
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth:
|
| 44 |
CVE-2026-25400
Deserialization of Untrusted Data vulnerability in thememount Apicona apicona al
|
| 44 |
CVE-2026-25360
Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object
|
| 44 |
CVE-2026-32484
Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allo
|
| 44 |
CVE-2026-24981
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-v
|
| 44 |
CVE-2026-24978
Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-c
|
| 44 |
CVE-2026-24976
Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo
|
| 44 |
CVE-2026-24974
Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citil
|
| 44 |
CVE-2026-24359
Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan,
|
| 44 |
CVE-2026-25406
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeu
|
| 44 |
CVE-2025-43264
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 44 |
CVE-2025-43219
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 44 |
CVE-2026-27654
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module
|
| 44 |
CVE-2026-27314
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using Mutual
|
| 44 |
CVE-2026-5130
The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthentic
|
| 44 |
CVE-2026-27040
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 44 |
CVE-2026-4475
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_201710241
|
| 44 |
CVE-2026-34955
### Summary
`SubprocessSandbox` in all modes (BASIC, STRICT, NETWORK_ISOLATED)
|
| 44 |
CVE-2026-33030
## Summary
Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnera
|
| 44 |
CVE-2026-20631
A logic issue was addressed with improved checks. This issue is fixed in macOS T
|
| 44 |
CVE-2025-67260
The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated compon
|
| 44 |
CVE-2025-55040
The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers t
|
| 44 |
CVE-2026-29839
DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) v
|
| 44 |
CVE-2026-23246
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80
|
| 44 |
CVE-2026-24068
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the
|
| 44 |
CVE-2026-25414
Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbook
|
| 44 |
CVE-2026-3499
The Product Feed PRO for WooCommerce by AdTribes - Product Feeds for WooCommerce
|
| 44 |
CVE-2025-55044
The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers
|
| 44 |
CVE-2026-32530
Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms
|
| 44 |
CVE-2026-30460
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote
|
| 44 |
CVE-2026-27018
### Impact
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-202
|
| 44 |
CVE-2026-4722
Privilege escalation in the IPC component. This vulnerability affects Firefox <
|
| 44 |
CVE-2026-28519
arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vuln
|
| 44 |
CVE-2026-35093
A flaw was found in libinput. A local attacker who can place a specially crafted
|
| 44 |
CVE-2026-30711
Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection
|
| 44 |
CVE-2026-34040
## Summary
A security vulnerability has been detected that allows attackers to
|
| 44 |
CVE-2025-69784
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed
|
| 44 |
CVE-2026-23480
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there
|
| 44 |
CVE-2025-43202
This issue was addressed with improved memory handling. This issue is fixed in i
|
| 44 |
CVE-2026-21765
HCL BigFix Platform is affected by insecure permissions on private cryptographic
|
| 44 |
CVE-2026-5272
Heap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 allowed a r
|
| 44 |
CVE-2026-5914
Type Confusion in CSS in Google Chrome prior to 147.0.7727.55 allowed an attacke
|
| 44 |
CVE-2026-39621
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicep
|
| 44 |
CVE-2026-4458
Use after free in Extensions in Google Chrome prior to 146.0.7680.153 allowed an
|
| 44 |
CVE-2025-47392
Memory corruption when decoding corrupted satellite data files with invalid sign
|
| 44 |
CVE-2026-33001
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbol
|
| 44 |
CVE-2026-39981
### Summary
The safe_join() function in the essential_abilities extension fails
|
| 44 |
CVE-2026-33331
A Stored Cross-Site Scripting (XSS) vulnerability exists in the OpenAPI document
|
| 44 |
CVE-2026-33413
### Impact
_What kind of vulnerability is it? Who is impacted?_
Multiple vulner
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |