Total CVEs
5707
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
786
public exploits
Unpatched
1571
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 35 |
CVE-2026-5150
A security vulnerability has been detected in code-projects Accounting System 1.
|
| 35 |
CVE-2026-5195
A flaw has been found in code-projects Student Membership System 1.0. This issue
|
| 35 |
CVE-2026-5334
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Imp
|
| 35 |
CVE-2026-5237
A security flaw has been discovered in itsourcecode Payroll Management System 1.
|
| 35 |
CVE-2026-5257
A vulnerability has been found in code-projects Simple Laundry System 1.0. This
|
| 35 |
CVE-2026-27697
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-33088
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability
|
| 35 |
CVE-2026-5575
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0
|
| 35 |
CVE-2026-32662
Development and test API endpoints are present that mirror production functional
|
| 35 |
CVE-2026-4956
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.
|
| 35 |
CVE-2026-21630
Improperly built order clauses lead to a SQL injection vulnerability in the arti
|
| 35 |
CVE-2026-33332
## Summary
NiceGUI's `app.add_media_file()` and `app.add_media_files()` media r
|
| 35 |
CVE-2026-21004
Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjace
|
| 35 |
CVE-2025-69238
Raytha CMS is vulnerable to Cross-Site Request Forgery across multiple endpoints
|
| 35 |
CVE-2026-32041
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication boots
|
| 35 |
CVE-2026-31967
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
|
| 35 |
CVE-2026-31966
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
|
| 35 |
CVE-2025-71280
XenForo before 2.3.7 allows information disclosure via local account page cachin
|
| 35 |
CVE-2026-31973
SAMtools is a program for reading, manipulating and writing bioinformatics file
|
| 35 |
CVE-2026-31972
SAMtools is a program for reading, manipulating and writing bioinformatics file
|
| 35 |
CVE-2026-22177
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control en
|
| 35 |
CVE-2026-34400
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API
|
| 35 |
CVE-2026-32919
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowin
|
| 35 |
CVE-2025-68152
Juju is an open source application orchestration engine that enables any applica
|
| 34 |
CVE-2026-39892
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g
|
| 34 |
CVE-2026-5974
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affe
|
| 34 |
CVE-2026-35655
OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP per
|
| 34 |
CVE-2026-35661
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Tele
|
| 34 |
CVE-2026-35654
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Micr
|
| 34 |
CVE-2026-5669
A vulnerability has been found in Cyber-III Student-Management-System up to 1a93
|
| 34 |
CVE-2026-33773
An Incorrect Initialization of Resource vulnerability in the packet forwarding e
|
| 34 |
CVE-2026-34941
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 34 |
CVE-2026-40178
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run pr
|
| 34 |
CVE-2026-5689
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affec
|
| 34 |
CVE-2026-34478
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/l
|
| 34 |
CVE-2026-35667
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where th
|
| 34 |
CVE-2026-35664
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw
|
| 34 |
CVE-2026-35627
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbo
|
| 34 |
CVE-2026-35626
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulner
|
| 34 |
CVE-2026-5691
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This af
|
| 34 |
CVE-2026-35633
OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability
|
| 34 |
CVE-2026-5503
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally
|
| 34 |
CVE-2026-35647
OpenClaw before 2026.3.25 contains an access control vulnerability where verific
|
| 34 |
CVE-2026-34480
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layou
|
| 34 |
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in inte
|
| 34 |
CVE-2026-5672
A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0.
|
| 34 |
CVE-2026-5663
A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the
|
| 34 |
CVE-2026-35640
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook s
|
| 34 |
CVE-2026-35665
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where th
|
| 34 |
CVE-2026-35637
OpenClaw before 2026.3.22 performs cite expansion before completing channel and
|
| 34 |
CVE-2026-34722
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 34 |
CVE-2026-34479
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape ch
|
| 34 |
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an
|
| 34 |
CVE-2026-5813
A weakness has been identified in PHPGurukul Online Course Registration 3.1. Thi
|
| 34 |
CVE-2026-5690
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted ele
|
| 34 |
CVE-2026-6105
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7
|
| 34 |
CVE-2026-33774
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 34 |
CVE-2026-22900
A use of hard-coded credentials vulnerability has been reported to affect QuNetS
|
| 34 |
CVE-2025-59709
An issue was discovered in Biztalk360 through 11.5. because of mishandling of us
|
| 34 |
CVE-2026-31067
A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect
|
| 34 |
CVE-2026-33691
The OWASP core rule set (CRS) is a set of generic attack detection rules for use
|
| 34 |
CVE-2026-3112
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.
|
| 34 |
CVE-2025-13406
NULL Pointer Dereference vulnerability in Softing Industrial Automation GmbH sma
|
| 34 |
CVE-2026-32567
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 34 |
CVE-2026-33194
## Summary
The `IsSensitivePath()` function in `kernel/util/path.go` uses a den
|
| 34 |
CVE-2026-32750
### Summary
`POST /api/import/importStdMd` passes the `localPath` parameter dire
|
| 34 |
CVE-2026-27855
Dovecot OTP authentication is vulnerable to replay attack under specific conditi
|
| 34 |
CVE-2026-32747
### Summary
`POST /api/file/globalCopyFiles` reads source files using `filepath.
|
| 34 |
CVE-2026-32007
OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in t
|
| 34 |
CVE-2026-31951
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 thr
|
| 34 |
CVE-2026-34775
### Impact
The `nodeIntegrationInWorker` webPreference was not correctly scoped
|
| 34 |
CVE-2026-4818
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which
|
| 34 |
CVE-2026-34080
xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a pol
|
| 34 |
CVE-2026-32291
The GL-iNet Comet (GL-RM1) KVM does not require authentication on the UART seria
|
| 34 |
CVE-2026-32279
# Security Advisory - Page Management Plugin (SSRF)
## Summary
A Server-Side R
|
| 34 |
CVE-2026-32005
OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks
|
| 34 |
CVE-2026-33308
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Prior to version 0.
|
| 34 |
CVE-2026-33486
This vulnerability allows an authenticated attacker to read any file on the serv
|
| 34 |
CVE-2026-25328
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 34 |
CVE-2026-32812
## Summary
The SSO metadata fetch endpoint at `modules/sso/fetch_metadata.php`
|
| 34 |
CVE-2025-43534
A path handling issue was addressed with improved validation. This issue is fixe
|
| 34 |
CVE-2026-4931
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settl
|
| 34 |
CVE-2026-35586
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 34 |
CVE-2025-15584
Netskope was notified about a potential gap in its Endpoint DLP Module for Netsk
|
| 34 |
CVE-2026-31850
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitiv
|
| 34 |
CVE-2026-33990
## Summary
Docker Model Runner contains an SSRF vulnerability in its OCI registr
|
| 34 |
CVE-2026-33572
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly bro
|
| 34 |
CVE-2026-33997
## Summary
A security vulnerability has been detected that allows [plugins](htt
|
| 34 |
CVE-2026-30603
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.164
|
| 34 |
CVE-2026-4482
The installer certificate files in the …/bootstrap/common/ssl folder do not seem
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |