Total CVEs
6019
last 30 days
Avg Priority
35.2
of max 220
KEV
8
actively exploited
POC
739
public exploits
Unpatched
1178
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 14 |
CVE-2026-36923
Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the f
|
| 14 |
CVE-2026-36941
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injecti
|
| 14 |
CVE-2026-37602
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL In
|
| 14 |
CVE-2026-37601
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL In
|
| 14 |
CVE-2026-37600
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL In
|
| 14 |
CVE-2026-36872
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /libr
|
| 14 |
CVE-2026-37597
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnera
|
| 14 |
CVE-2026-37595
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnera
|
| 14 |
CVE-2026-36943
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnera
|
| 14 |
CVE-2026-37594
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnera
|
| 14 |
CVE-2026-37593
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnera
|
| 14 |
CVE-2026-37591
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL i
|
| 14 |
CVE-2026-36873
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /libr
|
| 14 |
CVE-2026-36919
Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the
|
| 14 |
CVE-2026-36946
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnera
|
| 14 |
CVE-2026-36920
Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the
|
| 14 |
CVE-2026-36942
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injecti
|
| 14 |
CVE-2026-36874
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /libr
|
| 14 |
CVE-2026-39510
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image
|
| 14 |
CVE-2026-36952
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injectio
|
| 14 |
CVE-2026-36950
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injectio
|
| 14 |
CVE-2026-4916
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2
|
| 14 |
CVE-2026-4292
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4
|
| 14 |
CVE-2026-22001
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: In
|
| 13 |
CVE-2025-55277
HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerabi
|
| 13 |
CVE-2025-55274
HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability.
|
| 13 |
CVE-2026-35388
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode mu
|
| 13 |
CVE-2026-34849
UAF vulnerability in the screen management module.
Impact: Successful exploitati
|
| 12 |
CVE-2026-21741
An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] v
|
| 12 |
CVE-2026-27307
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled
|
| 12 |
CVE-2026-27308
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled
|
| 12 |
CVE-2026-2401
CWE-532 Insertion of Sensitive Information into Log File vulnerability exists th
|
| 12 |
CVE-2026-40336
libgphoto2 is a camera access and control library. Versions up to and including
|
| 12 |
CVE-2026-34312
Vulnerability in the RDBMS component of Oracle Database Server. Supported versi
|
| 12 |
CVE-2026-35624
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room auth
|
| 12 |
CVE-2026-35617
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Goog
|
| 12 |
CVE-2026-33658
### Impact
Active Storage's proxy controller does not limit the number of byte r
|
| 12 |
CVE-2026-5107
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the f
|
| 12 |
CVE-2026-22051
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0
|
| 12 |
CVE-2026-34969
# Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback
## Su
|
| 12 |
CVE-2026-5187
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in
|
| 12 |
CVE-2026-0930
Potential read out of bounds case with wolfSSHd on Windows while handling a term
|
| 12 |
CVE-2026-33644
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the
|
| 12 |
CVE-2026-35402
mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j dat
|
| 12 |
CVE-2026-32642
Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache Active
|
| 12 |
CVE-2026-5199
A writer role user in an attacker-controlled namespace could signal, delete, and
|
| 12 |
CVE-2026-39957
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL opera
|
| 12 |
CVE-2026-34509
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its
|
| 12 |
CVE-2026-34506
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its
|
| 12 |
CVE-2026-5188
An integer underflow issue exists in wolfSSL when parsing the Subject Alternativ
|
| 12 |
CVE-2026-35648
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued no
|
| 12 |
CVE-2026-34720
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 12 |
CVE-2026-33168
### Impact
When a blank string is used as an HTML attribute name in Action View
|
| 12 |
CVE-2026-5448
X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A
|
| 12 |
CVE-2026-34945
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and
|
| 12 |
CVE-2026-5392
Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an
|
| 12 |
CVE-2026-34988
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and
|
| 12 |
CVE-2026-35250
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp
|
| 12 |
CVE-2026-34764
### Impact
Apps that use offscreen rendering with GPU shared textures may be vul
|
| 11 |
CVE-2026-3109
Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request t
|
| 11 |
CVE-2026-5381
An issue that could expose task information outside of the authorized organizati
|
| 11 |
CVE-2026-34851
Race condition vulnerability in the event notification module.
Impact: Successfu
|
| 11 |
CVE-2025-11571
Vulnerable endpoints accept user-controlled input through a URL in JSON format w
|
| 11 |
CVE-2026-34224
### Impact
An attacker who possesses a valid authentication provider token and
|
| 11 |
CVE-2026-5778
Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause
|
| 11 |
CVE-2026-30812
Improper Neutralization of Input During Web Page Generation vulnerability allows
|
| 11 |
CVE-2026-32607
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 11 |
CVE-2026-4794
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.
|
| 11 |
CVE-2026-5772
A 1-byte stack buffer over-read was identified in the MatchDomainName function (
|
| 11 |
CVE-2026-35200
### Impact
A file can be uploaded with a filename extension that passes the fil
|
| 11 |
CVE-2026-33624
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 11 |
CVE-2026-34248
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 11 |
CVE-2026-5476
A vulnerability was identified in NASA cFS up to 7.0.0 on 32-bit. Affected is th
|
| 11 |
CVE-2026-39349
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 11 |
CVE-2025-7741
Hardcoded Password Vulnerability have been found in CENTUM. Affected products co
|
| 11 |
CVE-2026-28527
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Co
|
| 11 |
CVE-2026-28526
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Co
|
| 11 |
CVE-2026-28528
BlueKitchen BTstack contains an out-of-bounds read vulnerability in the AVRCP Br
|
| 11 |
CVE-2026-27183
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulne
|
| 10 |
CVE-2026-40878
mailcow: dockerized is an open source groupware/email suite based on docker. In
|
| 10 |
CVE-2026-5958
When sed is invoked with both -i (in-place edit) and --follow-symlinks, the func
|
| 10 |
CVE-2026-33073
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 10 |
CVE-2026-33674
### Impact
Fix improper use of validation framework
### Patches
Patched in 8.2.
|
| 10 |
CVE-2026-40264
OpenBao is an open source identity-based secrets management system. OpenBao's na
|
| 10 |
CVE-2026-39388
OpenBao is an open source identity-based secrets management system. Prior to ver
|
| 10 |
CVE-2026-27949
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerabil
|
| 10 |
CVE-2026-27675
SAP Landscape Transformation contains a vulnerability in an RFC-exposed function
|
| 10 |
CVE-2026-32970
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where una
|
| 10 |
CVE-2026-5473
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is
|
| 10 |
CVE-2026-41330
OpenClaw before 2026.3.31 contains an environment variable override vulnerabilit
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |