Total CVEs
5758
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
760
public exploits
Unpatched
1108
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-33759
## Summary
The `objects/playlistsVideos.json.php` endpoint returns the full vid
|
| 27 |
CVE-2026-33455
Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an
|
| 27 |
CVE-2026-6231
The bson_validate function may return early on specific inputs and incorrectly r
|
| 27 |
CVE-2026-5762
Allocation of resources without limits or throttling vulnerability in Wikimedia
|
| 27 |
CVE-2026-33300
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-32620
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-2405
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause
|
| 27 |
CVE-2026-23488
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /a
|
| 27 |
CVE-2026-33766
## Summary
`isSSRFSafeURL()` validates URLs against private/reserved IP ranges
|
| 27 |
CVE-2026-4985
A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability af
|
| 27 |
CVE-2026-23486
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publ
|
| 27 |
CVE-2026-4751
NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmat
|
| 27 |
CVE-2026-35468
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 27 |
CVE-2026-34069
### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` messag
|
| 27 |
CVE-2026-34979
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-4733
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixra
|
| 27 |
CVE-2026-27859
A mail message containing excessive amount of RFC 2231 MIME parameters causes LM
|
| 27 |
CVE-2026-33899
When `Magick` parses an XML file it is possible that a single zero byte is writt
|
| 27 |
CVE-2026-34826
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 27 |
CVE-2026-35578
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-2263
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 27 |
CVE-2026-3210
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful B
|
| 27 |
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90,
|
| 27 |
CVE-2026-34837
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-34782
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-39940
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-39346
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in
|
| 27 |
CVE-2026-35583
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the config
|
| 27 |
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-4812
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing A
|
| 27 |
CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-35023
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct obj
|
| 27 |
CVE-2026-33537
Lychee is a free, open-source photo-management tool. The patch introduced for GH
|
| 27 |
CVE-2026-33185
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-32615
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 27 |
CVE-2026-35413
## Summary
When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly
|
| 27 |
CVE-2026-32990
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fi
|
| 27 |
CVE-2026-26895
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote
|
| 27 |
CVE-2026-39857
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-25043
Budibase is an open-source low-code platform. Prior to version 3.23.25, a busine
|
| 27 |
CVE-2026-40304
Summary
The unaccess handler (controller/unaccess.go) contains a logical error i
|
| 27 |
CVE-2026-5808
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae31
|
| 27 |
CVE-2026-39922
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-40087
LangChain's f-string prompt-template validation was incomplete in two respects.
|
| 27 |
CVE-2025-14944
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization
|
| 27 |
CVE-2026-1314
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plug
|
| 27 |
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-4654
The Awesome Support - WordPress HelpDesk & Support Plugin plugin for WordPress i
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
| 27 |
CVE-2026-5538
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by th
|
| 27 |
CVE-2026-40151
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deploymen
|
| 27 |
CVE-2026-35629
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability i
|
| 27 |
CVE-2026-35450
## Summary
The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg re
|
| 27 |
CVE-2026-35544
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici
|
| 27 |
CVE-2026-35543
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-35542
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35452
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone oper
|
| 27 |
CVE-2026-4325
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-5797
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Short
|
| 27 |
CVE-2026-6559
A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the fu
|
| 27 |
CVE-2026-5240
A security vulnerability has been detected in code-projects BloodBank Managing S
|
| 27 |
CVE-2026-5315
A vulnerability was determined in Nothings stb up to 1.26. The affected element
|
| 27 |
CVE-2026-5886
Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 al
|
| 27 |
CVE-2026-2519
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPre
|
| 27 |
CVE-2026-3649
The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authori
|
| 27 |
CVE-2026-5623
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affe
|
| 27 |
CVE-2026-5530
A flaw has been found in Ollama up to 18.1. This issue affects some unknown proc
|
| 27 |
CVE-2026-5205
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulner
|
| 27 |
CVE-2026-5380
An issue that could allow an authorized user to view the clear-text secrets for
|
| 27 |
CVE-2026-6215
A weakness has been identified in DbGate up to 7.1.4. The impacted element is th
|
| 27 |
CVE-2026-34369
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-35592
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-33866
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used
|
| 27 |
CVE-2026-5313
A vulnerability has been found in Nothings stb up to 2.30. This issue affects th
|
| 27 |
CVE-2026-0748
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allo
|
| 27 |
CVE-2026-3642
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-25742
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is
|
| 27 |
CVE-2026-39921
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-1797
The Appointment Booking and Scheduler Plugin - Truebooker plugin for WordPress i
|
| 27 |
CVE-2025-13997
The King Addons for Elementor - 4,000+ ready Elementor sections, 650+ templates,
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |