Total CVEs
5758
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
756
public exploits
Unpatched
1111
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-39664
Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Expl
|
| 27 |
CVE-2026-39668
Missing Authorization vulnerability in g5theme Book Previewer for Woocommerce bo
|
| 27 |
CVE-2026-39669
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Expl
|
| 27 |
CVE-2026-39672
Missing Authorization vulnerability in shiptime ShipTime: Discounted Shipping Ra
|
| 27 |
CVE-2026-39673
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allow
|
| 27 |
CVE-2026-39675
Missing Authorization vulnerability in webmuehle Court Reservation court-reserva
|
| 27 |
CVE-2026-39676
Missing Authorization vulnerability in Shahjada Download Manager download-manage
|
| 27 |
CVE-2026-39678
Missing Authorization vulnerability in DOTonPAPER Pinpoint Booking System bookin
|
| 27 |
CVE-2026-39680
Missing Authorization vulnerability in MWP Development Diet Calorie Calculator d
|
| 27 |
CVE-2026-39682
Missing Authorization vulnerability in Arjan Pronk linkPizza-Manager linkpizza-m
|
| 27 |
CVE-2026-39685
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer al
|
| 27 |
CVE-2026-39687
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle D
|
| 27 |
CVE-2026-39688
Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-en
|
| 27 |
CVE-2026-39689
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-comme
|
| 27 |
CVE-2026-39690
Missing Authorization vulnerability in Paul Bearne Author Avatars List/Block aut
|
| 27 |
CVE-2026-39691
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box
|
| 27 |
CVE-2026-39694
Missing Authorization vulnerability in NSquared Simply Schedule Appointments sim
|
| 27 |
CVE-2026-39697
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI
|
| 27 |
CVE-2026-39698
Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt
|
| 27 |
CVE-2026-39699
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-wo
|
| 27 |
CVE-2026-39700
Missing Authorization vulnerability in WPXPO WowOptin optin allows Exploiting In
|
| 27 |
CVE-2026-39701
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting
|
| 27 |
CVE-2026-39704
Missing Authorization vulnerability in nfusionsolutions Precious Metals Automate
|
| 27 |
CVE-2026-39705
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-w
|
| 27 |
CVE-2026-39706
Missing Authorization vulnerability in Netro Systems Make My Trivia trivialy all
|
| 27 |
CVE-2026-39707
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using C
|
| 27 |
CVE-2026-39713
Missing Authorization vulnerability in mailercloud Mailercloud – Integrate
|
| 27 |
CVE-2026-39714
Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows
|
| 27 |
CVE-2026-39715
Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager
|
| 27 |
CVE-2026-39716
Missing Authorization vulnerability in CKThemes Flipmart flipmart allows Exploit
|
| 27 |
CVE-2026-22560
An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows use
|
| 27 |
CVE-2026-30280
An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED
|
| 27 |
CVE-2026-29909
MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in
|
| 27 |
CVE-2026-3526
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) all
|
| 27 |
CVE-2026-3525
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) all
|
| 27 |
CVE-2026-27813
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a dat
|
| 27 |
CVE-2026-40737
Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COM
|
| 27 |
CVE-2026-40742
Missing Authorization vulnerability in Nelio Software Nelio AB Testing nelio-ab-
|
| 27 |
CVE-2026-40763
Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-ele
|
| 27 |
CVE-2026-40778
Missing Authorization vulnerability in Majestic Support Majestic Support majesti
|
| 27 |
CVE-2026-20113
A vulnerability in the web-based Cisco IOx application hosting environment manag
|
| 27 |
CVE-2026-6410
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory
|
| 27 |
CVE-2026-28824
An authorization issue was addressed with improved state management. This issue
|
| 27 |
CVE-2026-28839
The issue was addressed with improved checks. This issue is fixed in macOS Sequo
|
| 27 |
CVE-2026-28862
A privacy issue was addressed with improved private data redaction for log entri
|
| 27 |
CVE-2026-28818
A logging issue was addressed with improved data redaction. This issue is fixed
|
| 27 |
CVE-2026-5344
A security vulnerability has been detected in Textpattern up to 4.9.1. Affected
|
| 27 |
CVE-2025-3716
User enumeration in ESET Protect (on-prem) via Response Timing.
|
| 27 |
CVE-2026-33169
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` t
|
| 27 |
CVE-2026-33173
### Impact
Active Storage's `DirectUploadsController` accepts arbitrary metadata
|
| 27 |
CVE-2026-39882
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) r
|
| 27 |
CVE-2026-40179
### Impact
Stored cross-site scripting (XSS) via crafted metric names in the Pr
|
| 27 |
CVE-2026-5474
A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE
|
| 27 |
CVE-2026-28838
A permissions issue was addressed with additional sandbox restrictions. This iss
|
| 27 |
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE
|
| 27 |
CVE-2026-20697
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 27 |
CVE-2026-33690
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-6494
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can e
|
| 27 |
CVE-2026-28828
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 27 |
CVE-2026-33527
### Impact
An authenticated user can overwrite server-generated session fields
|
| 27 |
CVE-2026-40041
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows att
|
| 27 |
CVE-2026-31924
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
|
| 27 |
CVE-2026-5713
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabi
|
| 27 |
CVE-2026-34776
### Impact
On macOS and Linux, apps that call `app.requestSingleInstanceLock()`
|
| 27 |
CVE-2026-0718
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin
|
| 27 |
CVE-2026-3581
The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authoriza
|
| 27 |
CVE-2026-24028
An attacker might be able to trigger an out-of-bounds read by sending a crafted
|
| 27 |
CVE-2026-24030
An attacker might be able to trick DNSdist into allocating too much memory while
|
| 27 |
CVE-2026-5427
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in version
|
| 27 |
CVE-2026-5502
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-5606
A security flaw has been discovered in PHPGurukul Online Shopping Portal Project
|
| 27 |
CVE-2026-6586
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impa
|
| 27 |
CVE-2026-5705
A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affect
|
| 27 |
CVE-2026-40485
ChurchCRM is an open-source church management system. In versions prior to 7.2.0
|
| 27 |
CVE-2026-5579
A vulnerability was determined in CodeAstro Online Classroom 1.0. This issue aff
|
| 27 |
CVE-2026-5052
Vault’s PKI engine’s ACME validation did not reject local targets when issuing h
|
| 27 |
CVE-2026-5586
A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted
|
| 27 |
CVE-2026-28755
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_modu
|
| 27 |
CVE-2026-34364
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequ
|
| 27 |
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the G
|
| 27 |
CVE-2026-3177
The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Dona
|
| 27 |
CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket
|
| 27 |
CVE-2026-5572
A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03
|
| 26 |
CVE-2026-6675
The Responsive Blocks - Page Builder for Blocks & Patterns plugin for WordPress
|
| 26 |
CVE-2026-24468
OpenAEV is an open source platform allowing organizations to plan, schedule and
|
| 26 |
CVE-2026-5675
A vulnerability was found in itsourcecode Construction Management System 1.0. Th
|
| 26 |
CVE-2025-14243
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an
|
| 26 |
CVE-2026-39407
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 26 |
CVE-2026-39406
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |