Total CVEs
5705
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
783
public exploits
Unpatched
1571
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 46 |
CVE-2026-33286
### Summary
An arbitrary method execution vulnerability has been found which af
|
| 46 |
CVE-2026-34952
### Summary
The PraisonAI Gateway server accepts WebSocket connections at `/ws`
|
| 46 |
CVE-2026-29145
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 46 |
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 46 |
CVE-2026-5627
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up
|
| 46 |
CVE-2026-22732
When applications specify HTTP response headers for servlet applications using S
|
| 46 |
CVE-2026-4599
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to
|
| 46 |
CVE-2026-34953
### Summary
`OAuthManager.validate_token()` returns `True` for any token not fo
|
| 46 |
CVE-2025-15031
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file
|
| 46 |
CVE-2026-35560
Improper certificate validation in the identity provider connection components i
|
| 46 |
CVE-2026-34758
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 46 |
CVE-2026-32698
OpenProject is an open-source, web-based project management software. Versions p
|
| 46 |
CVE-2026-33297
### Summary
The `setPassword.json.php` endpoint in the CustomizeUser plugin all
|
| 46 |
CVE-2026-34560
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2025-15618
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses a
|
| 46 |
CVE-2026-35039
## Impact
Setting up a custom cacheKeyBuilder method which does not properly cr
|
| 46 |
CVE-2026-34872
An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Cry
|
| 46 |
CVE-2026-30701
The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02)
|
| 46 |
CVE-2026-28386
Issue summary: Applications using AES-CFB128 encryption or decryption on
systems
|
| 46 |
CVE-2025-58349
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, a
|
| 46 |
CVE-2025-69515
An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attack
|
| 46 |
CVE-2026-33202
### Impact
Active Storage's `DiskService#delete_prefixed` passes blob keys direc
|
| 46 |
CVE-2026-32524
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Phot
|
| 46 |
CVE-2026-31017
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format fu
|
| 46 |
CVE-2026-34873
An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation ca
|
| 46 |
CVE-2026-30458
An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users'
|
| 46 |
CVE-2026-4716
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine com
|
| 46 |
CVE-2026-4715
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability aff
|
| 46 |
CVE-2026-34559
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 46 |
CVE-2026-27071
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploitin
|
| 46 |
CVE-2025-15484
The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides
|
| 46 |
CVE-2026-35580
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Act
|
| 46 |
CVE-2025-57735
When user logged out, the JWT token the user had authtenticated with was not inv
|
| 46 |
CVE-2026-33867
### Summary
AVideo allows content owners to password-protect individual videos.
|
| 46 |
CVE-2026-33186
### Impact
_What kind of vulnerability is it? Who is impacted?_
It is an **Auth
|
| 46 |
CVE-2026-4177
YAML::Syck versions through 1.36 for Perl has several potential security vulnera
|
| 46 |
CVE-2026-4724
Undefined behavior in the Audio/Video component. This vulnerability affects Fire
|
| 46 |
CVE-2026-34950
### Summary
The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The
|
| 46 |
CVE-2026-33771
A Weak Password Requirements vulnerability in the password management function o
|
| 46 |
CVE-2026-35174
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path tra
|
| 46 |
CVE-2026-32892
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Ch
|
| 46 |
CVE-2026-39980
OpenCTI is an open source platform for managing cyber threat intelligence knowle
|
| 46 |
CVE-2026-40258
## Summary
A path traversal vulnerability (Zip Slip) exists in the media archiv
|
| 46 |
CVE-2026-35050
text-generation-webui is an open-source web interface for running Large Language
|
| 45 |
CVE-2026-33066
# Stored XSS to RCE via Unsanitized Bazaar README Rendering
## Summary
SiYuan'
|
| 45 |
CVE-2026-33067
# Stored XSS to RCE via Unsanitized Bazaar Package Metadata
## Summary
SiYuan'
|
| 45 |
CVE-2026-32751
# Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
## S
|
| 45 |
CVE-2026-35216
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauth
|
| 45 |
CVE-2025-32991
In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful AP
|
| 45 |
CVE-2026-39846
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious no
|
| 45 |
CVE-2026-34448
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an att
|
| 45 |
CVE-2026-3564
A condition in ScreenConnect may allow an actor with access to server-level cryp
|
| 45 |
CVE-2026-27540
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co P
|
| 45 |
CVE-2026-30924
### Summary
The application implements an HTML5 cross-origin resource sharing (C
|
| 45 |
CVE-2026-32703
OpenProject is an open-source, web-based project management software. In version
|
| 45 |
CVE-2026-0898
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pe
|
| 45 |
CVE-2026-28798
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 syst
|
| 45 |
CVE-2025-33244
NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker co
|
| 45 |
CVE-2026-30282
An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirro
|
| 45 |
CVE-2026-32891
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifi
|
| 45 |
CVE-2026-39305
The Action Orchestrator feature contains a Path Traversal vulnerability that all
|
| 45 |
CVE-2026-32519
Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allow
|
| 45 |
CVE-2026-39860
Nix is a package manager for Linux and other Unix systems. A bug in the fix for
|
| 45 |
CVE-2026-34971
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and
|
| 45 |
CVE-2026-34987
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and
|
| 0 |
CVE-2026-33863
### Impact
Two unguarded prototype pollution paths exist, not covered by previou
|
| 0 |
CVE-2026-33864
### Summary
A prototype pollution vulnerability exists in the latest version of
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |
Prev
6 / 6