Total CVEs
5758
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
756
public exploits
Unpatched
1110
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 26 |
CVE-2026-5670
A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61
|
| 26 |
CVE-2026-6729
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation
|
| 26 |
CVE-2025-66335
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper
|
| 26 |
CVE-2026-39406
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 26 |
CVE-2026-5675
A vulnerability was found in itsourcecode Construction Management System 1.0. Th
|
| 26 |
CVE-2025-14243
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an
|
| 26 |
CVE-2025-15565
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of
|
| 26 |
CVE-2026-6675
The Responsive Blocks - Page Builder for Blocks & Patterns plugin for WordPress
|
| 26 |
CVE-2026-35179
## Summary
The SocialMediaPublisher plugin exposes a `publishInstagram.json.php
|
| 26 |
CVE-2026-33558
Information exposure vulnerability has been identified in Apache Kafka.
The Net
|
| 26 |
CVE-2026-5338
A security vulnerability has been detected in Tenda G103 1.0.0.5. The affected e
|
| 26 |
CVE-2026-21003
Improper input validation in data related to network restrictions prior to SMR A
|
| 26 |
CVE-2026-39958
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible
|
| 26 |
CVE-2026-33014
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, during
|
| 26 |
CVE-2026-33015
EVerest is an EV charging software stack. Prior to version 2026.02.0, even immed
|
| 26 |
CVE-2026-4743
NULL Pointer Dereference vulnerability in taurusxin ncmdump (src/utils modules
|
| 26 |
CVE-2026-4135
During an internal security assessment, a potential vulnerability was discovered
|
| 26 |
CVE-2026-24153
NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted appl
|
| 26 |
CVE-2026-40339
libgphoto2 is a camera access and control library. Versions up to and including
|
| 26 |
CVE-2026-40338
libgphoto2 is a camera access and control library. Versions up to and including
|
| 26 |
CVE-2026-40335
libgphoto2 is a camera access and control library. Versions up to and including
|
| 26 |
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an or
|
| 26 |
CVE-2026-3438
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Reposito
|
| 26 |
CVE-2026-4420
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating f
|
| 26 |
CVE-2026-33892
A vulnerability has been identified in Industrial Edge Management Pro V1 (All ve
|
| 26 |
CVE-2026-39425
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-24906
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-24907
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 26 |
CVE-2026-22675
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scr
|
| 26 |
CVE-2026-33865
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsi
|
| 26 |
CVE-2026-34161
Chamilo LMS is an open-source learning management system. In versions prior to 2
|
| 26 |
CVE-2026-40353
# Stored XSS via Unescaped License Attribution Fields
## Summary
The `Abstract
|
| 26 |
CVE-2026-39426
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 26 |
CVE-2026-34821
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2025-41027
Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerab
|
| 26 |
CVE-2025-41357
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104.
|
| 26 |
CVE-2026-39840
Improper neutralization of input during web page generation ('cross-site scripti
|
| 26 |
CVE-2026-5010
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clic
|
| 26 |
CVE-2025-41026
Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerab
|
| 26 |
CVE-2025-41355
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server
v0.104.
|
| 26 |
CVE-2025-41356
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104.
|
| 26 |
CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with
|
| 26 |
CVE-2026-1564
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vu
|
| 26 |
CVE-2026-40096
immich is a high performance self-hosted photo and video management solution. Ve
|
| 26 |
CVE-2026-5987
A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d
|
| 26 |
CVE-2026-35398
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35474
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirec
|
| 26 |
CVE-2026-35396
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35472
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35473
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
|
| 26 |
CVE-2026-35475
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect
|
| 26 |
CVE-2026-33709
JupyterHub is software that allows one to create a multi-user server for Jupyter
|
| 26 |
CVE-2026-32113
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 26 |
CVE-2026-33456
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.
|
| 26 |
CVE-2026-35496
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allo
|
| 26 |
CVE-2026-33273
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2
|
| 26 |
CVE-2026-39347
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 26 |
CVE-2026-5160
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are
|
| 26 |
CVE-2026-33415
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 26 |
CVE-2026-21904
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 26 |
CVE-2026-40118
UDP Console provided by Arcserve contains an incorrectly specified destination i
|
| 26 |
CVE-2026-6107
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some u
|
| 26 |
CVE-2026-5469
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects un
|
| 26 |
CVE-2026-27787
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If th
|
| 26 |
CVE-2026-32963
SD-330AC and AMC Manager provided by silex technology, Inc. contain a reflected
|
| 26 |
CVE-2026-4973
A vulnerability was detected in SourceCodester Online Quiz System hasta 1.0. Aff
|
| 26 |
CVE-2026-6216
A security vulnerability has been detected in DbGate up to 7.1.4. This affects a
|
| 26 |
CVE-2026-40028
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerabil
|
| 26 |
CVE-2026-32859
ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site
|
| 26 |
CVE-2026-34809
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34811
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34812
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34813
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34814
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34815
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34816
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34817
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34818
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34820
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34823
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-26352
Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site s
|
| 26 |
CVE-2026-27508
Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-sit
|
| 26 |
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows at
|
| 26 |
CVE-2026-34798
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34799
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34800
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34801
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34802
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34803
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
| 26 |
CVE-2026-34804
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS)
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |