Total CVEs
5697
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
777
public exploits
Unpatched
1569
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 51 |
CVE-2015-20114
Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerabi
|
| 51 |
CVE-2016-20036
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vu
|
| 51 |
CVE-2015-20116
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploa
|
| 51 |
CVE-2026-30563
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales
|
| 51 |
CVE-2026-32986
A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CM
|
| 50 |
CVE-2026-30302
The command auto-approval module in CodeRider-Kilo contains an OS Command Inject
|
| 50 |
CVE-2026-39337
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical p
|
| 50 |
CVE-2026-32871
## Technical Description
The `OpenAPIProvider` in FastMCP exposes internal APIs
|
| 50 |
CVE-2025-15379
A command injection vulnerability exists in MLflow's model serving container ini
|
| 50 |
CVE-2026-5128
A sensitive information exposure vulnerability exists in ArthurFiorette steam-tr
|
| 50 |
CVE-2026-34938
### Summary
`execute_code()` in `praisonai-agents` runs attacker-controlled Pyt
|
| 50 |
CVE-2026-34162
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT
|
| 50 |
CVE-2026-3587
An unauthenticated remote attacker can exploit a hidden function in the CLI prom
|
| 50 |
CVE-2026-32169
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized a
|
| 50 |
CVE-2026-32186
Microsoft Bing Elevation of Privilege Vulnerability
|
| 50 |
CVE-2026-34208
### Summary
SandboxJS blocks direct assignment to global objects (for example `M
|
| 50 |
CVE-2026-33054
#### Summary
A Path Traversal vulnerability allows any user (or attacker) supply
|
| 50 |
CVE-2025-54328
An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor,
|
| 50 |
CVE-2026-32213
Improper authorization in Azure AI Foundry allows an unauthorized attacker to el
|
| 50 |
CVE-2026-33105
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthori
|
| 50 |
CVE-2026-33107
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized at
|
| 50 |
CVE-2026-32057
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerabil
|
| 50 |
CVE-2026-4745
Improper Control of Generation of Code ('Code Injection') vulnerability in dendi
|
| 50 |
CVE-2026-22557
A malicious actor with access to the network could exploit a Path Traversal vuln
|
| 50 |
CVE-2026-33494
## Description
Ory Oathkeeper is vulnerable to an authorization bypass via HTTP
|
| 50 |
CVE-2026-4606
GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components wi
|
| 50 |
CVE-2026-4746
Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/sr
|
| 50 |
CVE-2026-32737
### Impact
Due to a mis-written NetworkPolicy, a malicious actor can pivot from
|
| 50 |
CVE-2026-34976
The `restoreTenant` admin mutation is missing from the authorization middleware
|
| 50 |
CVE-2026-4370
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from
|
| 50 |
CVE-2026-4688
Sandbox escape due to use-after-free in the Disability Access APIs component. Th
|
| 50 |
CVE-2026-4725
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This v
|
| 50 |
CVE-2026-5059
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. Th
|
| 50 |
CVE-2026-5058
aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulne
|
| 50 |
CVE-2026-4692
Sandbox escape in the Responsive Design Mode component. This vulnerability affec
|
| 50 |
CVE-2026-4689
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPC
|
| 50 |
CVE-2026-30836
⚠️ **Limited Disclosure - Full Details Pending**
A critical security vulnerabil
|
| 50 |
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 50 |
CVE-2026-34838
Group-Office is an enterprise customer relationship management and groupware too
|
| 50 |
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version
|
| 50 |
CVE-2026-32938
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, t
|
| 50 |
CVE-2026-34571
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 50 |
CVE-2026-26137
Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allo
|
| 50 |
CVE-2026-32731
**Reported:** 2026-03-08
**Status:** patched and released in version 3.5.3 of
|
| 50 |
CVE-2026-33945
Incus is a system container and virtual machine manager. Incus instances have an
|
| 50 |
CVE-2026-32045
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale heade
|
| 50 |
CVE-2026-34569
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 50 |
CVE-2026-27044
Improper Control of Generation of Code ('Code Injection') vulnerability in Total
|
| 50 |
CVE-2026-25366
Improper Control of Generation of Code ('Code Injection') vulnerability in Theme
|
| 50 |
CVE-2026-32525
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmo
|
| 50 |
CVE-2026-33897
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 50 |
CVE-2026-25212
An issue was discovered in Percona PMM before 3.7. Because an internal database
|
| 50 |
CVE-2026-34717
OpenProject is an open-source, web-based project management software. Prior to v
|
| 50 |
CVE-2026-32536
Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green
|
| 50 |
CVE-2026-39355
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken ac
|
| 50 |
CVE-2026-25345
Improper Validation of Specified Quantity in Input vulnerability in GalleryCreat
|
| 50 |
CVE-2025-15363
The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which c
|
| 50 |
CVE-2026-32523
Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM
|
| 50 |
CVE-2026-25413
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WP
|
| 50 |
CVE-2026-32482
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona o
|
| 50 |
CVE-2026-22172
OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerabili
|
| 50 |
CVE-2026-4603
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by ze
|
| 50 |
CVE-2026-33502
### Summary
An unauthenticated server-side request forgery vulnerability in `plu
|
| 50 |
CVE-2026-40089
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The S
|
| 50 |
CVE-2026-33396
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 50 |
CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in th
|
| 50 |
CVE-2026-39888
## Summary
`execute_code()` in `praisonaiagents.tools.python_tools` defaults to
|
| 49 |
CVE-2026-5102
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. T
|
| 49 |
CVE-2026-5103
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This i
|
| 49 |
CVE-2026-5020
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected
|
| 49 |
CVE-2026-5030
A vulnerability has been found in Totolink NR1800X 9.1.0u.6279_B20210910. This i
|
| 49 |
CVE-2026-5101
A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This a
|
| 49 |
CVE-2026-5104
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b2022
|
| 49 |
CVE-2026-5105
A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affe
|
| 49 |
CVE-2026-4003
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalatio
|
| 49 |
CVE-2026-32985
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbit
|
| 49 |
CVE-2026-30303
The command auto-approval module in Axon Code contains an OS Command Injection v
|
| 49 |
CVE-2026-30402
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbit
|
| 49 |
CVE-2026-39890
## Summary
The `AgentService.loadAgentFromFile` method uses the `js-yaml` librar
|
| 49 |
CVE-2026-3535
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary
|
| 49 |
CVE-2026-33057
#### Summary
An explicit web endpoint inside the `ai/` testing module infrastruc
|
| 49 |
CVE-2017-20224
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upl
|
| 49 |
CVE-2026-26830
pdf-image (npm package) through version 2.0.0 allows OS command injection via th
|
| 49 |
CVE-2026-33937
## Summary
`Handlebars.compile()` accepts a pre-parsed AST object in addition t
|
| 49 |
CVE-2026-34243
#### Summary
A GitHub Actions workflow uses untrusted user input from `issue_co
|
| 49 |
CVE-2026-5153
A flaw has been found in Tenda CH22 1.0.0.1. The affected element is the functio
|
| 49 |
CVE-2026-4554
A security flaw has been discovered in Tenda F453 1.0.0.3. The affected element
|
| 49 |
CVE-2026-3300
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Executio
|
| 49 |
CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side
|
| 49 |
CVE-2026-3584
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in al
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |