Total CVEs
6024
last 30 days
Avg Priority
35.2
of max 220
KEV
8
actively exploited
POC
742
public exploits
Unpatched
1187
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 18 |
CVE-2026-32909
OpenClaw before 2026.2.19 contains a command injection vulnerability in tools.ex
|
| 18 |
CVE-2026-40077
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in t
|
| 18 |
CVE-2026-35400
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
|
| 18 |
CVE-2026-33551
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.
|
| 18 |
CVE-2026-40334
libgphoto2 is a camera access and control library. In versions up to and includi
|
| 18 |
CVE-2026-35679
Zcash zcashd before 6.12.0 allows invalid transactions to be accepted under cert
|
| 18 |
CVE-2026-34454
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 provid
|
| 18 |
CVE-2026-40341
libgphoto2 is a camera access and control library. In versions up to and includi
|
| 18 |
CVE-2025-55270
HCL Aftermarket DPC is affected by Improper Input Validation which allows an att
|
| 17 |
CVE-2026-33404
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 17 |
CVE-2026-2271
A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker c
|
| 17 |
CVE-2026-33529
# Authenticated Path Traversal to RCE via Configuration Import
## Summary
An a
|
| 17 |
CVE-2026-28864
This issue was addressed with improved permissions checking. This issue is fixed
|
| 17 |
CVE-2026-28893
A privacy issue was addressed with improved handling of temporary files. This is
|
| 17 |
CVE-2026-20684
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 17 |
CVE-2026-0965
A flaw was found in libssh where it can attempt to open arbitrary files during c
|
| 17 |
CVE-2026-34766
### Impact
The `select-usb-device` event callback did not validate the chosen de
|
| 17 |
CVE-2026-35094
A flaw was found in libinput. An attacker capable of deploying a Lua plugin file
|
| 17 |
CVE-2026-28264
Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorre
|
| 17 |
CVE-2026-21727
---
title: Cross-Tenant Legacy Correlation Disclosure and Deletion
draft: false
|
| 17 |
CVE-2026-4761
When
a certificate and its private key are installed in the Windows machine
cert
|
| 17 |
CVE-2025-43236
A type confusion issue was addressed with improved memory handling. This issue i
|
| 17 |
CVE-2026-21715
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSyn
|
| 16 |
CVE-2026-29179
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 a
|
| 16 |
CVE-2026-31369
PcManager is affected by type privilege bypass, successful exploitation of this
|
| 16 |
CVE-2026-35249
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp
|
| 16 |
CVE-2026-39419
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 16 |
CVE-2026-33436
Stirling-PDF is a locally hosted web application that facilitates various operat
|
| 16 |
CVE-2026-35538
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz
|
| 16 |
CVE-2026-39396
OpenBao is an open source identity-based secrets management system. Prior to ver
|
| 16 |
CVE-2026-2475
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 16 |
CVE-2026-0968
A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol
|
| 16 |
CVE-2026-35387
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA al
|
| 16 |
CVE-2026-3155
The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to aut
|
| 16 |
CVE-2026-29071
Open WebUI is a self-hosted artificial intelligence platform designed to operate
|
| 16 |
CVE-2026-33212
Weblate is a web based localization tool. In versions prior to 5.17, the tasks A
|
| 16 |
CVE-2026-4874
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side
|
| 16 |
CVE-2025-14808
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attac
|
| 16 |
CVE-2026-33405
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 16 |
CVE-2026-32696
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ
|
| 16 |
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher
|
| 16 |
CVE-2026-0397
When the internal webserver is enabled (default is disabled), an attacker might
|
| 16 |
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101
|
| 16 |
CVE-2026-6312
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.772
|
| 16 |
CVE-2026-0396
An attacker might be able to inject HTML content into the internal web dashboard
|
| 16 |
CVE-2026-27937
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 a
|
| 16 |
CVE-2025-55271
HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where i
|
| 16 |
CVE-2025-55276
HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability will giv
|
| 16 |
CVE-2025-55272
HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attacke
|
| 15 |
CVE-2026-5382
An issue that could expose records outside of the authorized organization scope
|
| 15 |
CVE-2026-5379
An issue that allowed MCP agents to access certificate information from outside
|
| 15 |
CVE-2026-33948
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db284
|
| 15 |
CVE-2026-33769
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this is
|
| 15 |
CVE-2026-4742
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
|
| 15 |
CVE-2026-40354
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Fla
|
| 15 |
CVE-2026-41080
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occu
|
| 15 |
CVE-2026-40228
In systemd 259, systemd-journald can send ANSI escape sequences to the terminals
|
| 15 |
CVE-2026-40947
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager be
|
| 15 |
CVE-2025-52641
HCL AION is affected by a vulnerability where certain system behaviours may allo
|
| 14 |
CVE-2026-22007
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente
|
| 14 |
CVE-2026-34268
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente
|
| 14 |
CVE-2026-34781
### Impact
Apps that call `clipboard.readImage()` may be vulnerable to a denial
|
| 14 |
CVE-2026-33762
### Impact
`go-git`’s index decoder for format version 4 fails to validate the
|
| 14 |
CVE-2026-2239
A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread
|
| 14 |
CVE-2026-3469
A denial-of-service (DoS) vulnerability exists due to improper input validation
|
| 14 |
CVE-2026-33160
### Summary
An unauthenticated user can call `assets/generate-transform` with a
|
| 14 |
CVE-2026-34519
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-34520
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-34514
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-37598
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitr
|
| 14 |
CVE-2026-34947
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 14 |
CVE-2025-14551
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials durin
|
| 14 |
CVE-2025-15480
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user cr
|
| 14 |
CVE-2026-33879
Federated Learning and Interoperability Platform (FLIP) is an open-source platfo
|
| 14 |
CVE-2026-34518
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-34513
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-34517
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 14 |
CVE-2026-34762
## Summary
The `PUT /api/v1/subscriber/{imsi}` API accepts an IMSI identifier f
|
| 14 |
CVE-2025-66487
IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequenc
|
| 14 |
CVE-2026-37592
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL i
|
| 14 |
CVE-2026-34203
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to
|
| 14 |
CVE-2026-27316
A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.
|
| 14 |
CVE-2026-5375
An issue that could allow a user with access to a credential to view sensitive f
|
| 14 |
CVE-2026-27769
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were corr
|
| 14 |
CVE-2026-36938
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injecti
|
| 14 |
CVE-2026-36947
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnera
|
| 14 |
CVE-2026-36923
Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the f
|
| 14 |
CVE-2026-36941
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injecti
|
| 14 |
CVE-2026-36937
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injecti
|
| 14 |
CVE-2026-37602
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL In
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |