Total CVEs
5757
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
799
public exploits
Unpatched
1581
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 42 |
CVE-2026-28821
A validation issue existed in the entitlement verification. This issue was addre
|
| 42 |
CVE-2026-28832
An out-of-bounds read was addressed with improved bounds checking. This issue is
|
| 42 |
CVE-2026-30290
An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6
|
| 42 |
CVE-2026-26306
The installer for OM Workspace (Windows Edition) Ver 2.4 and earlier insecurely
|
| 42 |
CVE-2026-4255
A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Win
|
| 42 |
CVE-2026-23995
EVerest is an EV charging software stack. Prior to version 2026.02.0, stack-base
|
| 42 |
CVE-2026-32925
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6Co
|
| 42 |
CVE-2026-32928
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6Co
|
| 42 |
CVE-2026-4732
Out-of-bounds Read vulnerability in tildearrow furnace (extern/libsndfile-modif
|
| 42 |
CVE-2026-34589
OpenEXR provides the specification and reference implementation of the EXR file
|
| 42 |
CVE-2026-28760
The installer of RATOC RAID Monitoring Manager for Windows searches the current
|
| 42 |
CVE-2026-28704
Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file i
|
| 42 |
CVE-2026-30287
An arbitrary file overwrite vulnerability in Deep Thought Industries ACE Scanner
|
| 42 |
CVE-2026-4788
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information
|
| 42 |
CVE-2026-30289
An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App
|
| 42 |
CVE-2026-30292
An arbitrary file overwrite vulnerability in Docudepot PDF Reader: PDF Viewer AP
|
| 42 |
CVE-2026-33632
ClearanceKit intercepts file-system access events on macOS and enforces per-proc
|
| 42 |
CVE-2026-34544
OpenEXR provides the specification and reference implementation of the EXR file
|
| 42 |
CVE-2026-32927
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in
|
| 42 |
CVE-2026-32926
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in
|
| 42 |
CVE-2026-30291
An arbitrary file overwrite vulnerability in Ora Tools PDF Reader ' Reader & Edi
|
| 42 |
CVE-2026-32929
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!ge
|
| 42 |
CVE-2026-28520
arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vul
|
| 42 |
CVE-2026-33253
SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services wit
|
| 42 |
CVE-2026-32845
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cg
|
| 42 |
CVE-2026-22682
OpenHarness prior to commit 166fcfe contains an improper access control vulnerab
|
| 42 |
CVE-2026-22593
EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-
|
| 42 |
CVE-2026-33747
### Impact
When using a custom BuildKit frontend, the frontend can craft an API
|
| 42 |
CVE-2026-21915
A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks
|
| 42 |
CVE-2026-40027
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path t
|
| 42 |
CVE-2026-40024
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_rec
|
| 42 |
CVE-2026-40030
parseusbs before 1.9 contains an OS command injection vulnerability where the vo
|
| 42 |
CVE-2026-40113
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs
|
| 42 |
CVE-2026-35204
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a spec
|
| 42 |
CVE-2026-35641
OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in
|
| 42 |
CVE-2026-33791
An OS Command Injection vulnerability in the CLI processing of Juniper Networks
|
| 42 |
CVE-2026-4266
An Insecure Deserialization vulnerability in WatchGuard Fireware OS allows an at
|
| 42 |
CVE-2026-35553
Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer ov
|
| 42 |
CVE-2026-35205
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm w
|
| 42 |
CVE-2025-14213
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerabi
|
| 42 |
CVE-2026-32725
SciTokens C++ is a minimal library for creating and using SciTokens from C or C+
|
| 42 |
CVE-2026-0708
A flaw was found in libucl. A remote attacker could exploit this by providing a
|
| 42 |
CVE-2026-22897
A command injection vulnerability has been reported to affect QuNetSwitch. The r
|
| 42 |
CVE-2026-0562
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows
|
| 42 |
CVE-2026-3549
Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extens
|
| 42 |
CVE-2026-34524
## Summary
A Path Traversal vulnerability in chat endpoints allows an authentica
|
| 42 |
CVE-2026-33980
### Summary
adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Quer
|
| 42 |
CVE-2026-34221
A prototype pollution vulnerability exists in the `Utils.merge` helper used inte
|
| 42 |
CVE-2026-34072
Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, l
|
| 42 |
CVE-2026-25083
GROWI OpenAI thread/message API endpoints do not perform authorization. Affected
|
| 42 |
CVE-2026-33407
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 42 |
CVE-2026-34780
### Impact
Apps that pass `VideoFrame` objects (from the WebCodecs API) across t
|
| 42 |
CVE-2026-35394
### Summary
The `mobile_open_url` tool in mobile-mcp passes user-supplied URLs
|
| 42 |
CVE-2026-4064
Missing authorization checks on multiple gRPC service endpoints in PowerShell Un
|
| 42 |
CVE-2026-31998
OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulner
|
| 42 |
CVE-2025-15617
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workfl
|
| 42 |
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST
|
| 42 |
CVE-2026-24148
NVIDIA Jetson for JetPack contains a vulnerability in the system initialization
|
| 42 |
CVE-2026-1313
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Reque
|
| 42 |
CVE-2026-34719
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 42 |
CVE-2026-33981
### Summary
The `jq:` and `jqraw:` include filter expressions allow use of the
|
| 42 |
CVE-2026-33210
### Impact
A format string injection vulnerability than that lead to denial of
|
| 42 |
CVE-2026-32759
## Summary
The TUS resumable upload handler parses the `Upload-Length` header as
|
| 42 |
CVE-2025-55262
HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploi
|
| 42 |
CVE-2026-35478
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1
|
| 42 |
CVE-2026-33779
An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web o
|
| 42 |
CVE-2026-32902
OpenClaw before 2026.3.1 contains a server-side request forgery vulnerability in
|
| 42 |
CVE-2026-35595
## Summary
A user with Write-level access to a project can escalate their permi
|
| 42 |
CVE-2026-35618
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 s
|
| 42 |
CVE-2026-5264
Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can s
|
| 42 |
CVE-2026-31939
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path t
|
| 42 |
CVE-2026-28808
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unaut
|
| 41 |
CVE-2026-34363
### Impact
When multiple clients subscribe to the same class via LiveQuery, the
|
| 41 |
CVE-2026-35091
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wr
|
| 41 |
CVE-2026-34215
### Impact
The verify password endpoint returns unsanitized authentication data
|
| 41 |
CVE-2026-33942
Saloon is a PHP library that gives users tools to build API integrations and SDK
|
| 41 |
CVE-2026-39363
### Summary
[`server.fs`](https://vite.dev/config/server-options#server-fs-stri
|
| 41 |
CVE-2026-34045
Podman Desktop is a graphical tool for developing on containers and Kubernetes.
|
| 41 |
CVE-2026-35525
### Summary
LiquidJS enforces partial and layout root restrictions using the re
|
| 41 |
CVE-2026-35604
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 41 |
CVE-2026-5208
Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authen
|
| 41 |
CVE-2026-32296
Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without prope
|
| 41 |
CVE-2026-34042
act's built-in actions/cache server listens to connections on all interfaces and
|
| 41 |
CVE-2026-27124
## Summary
While testing the *GitHubProvider* OAuth integration, which allows au
|
| 41 |
CVE-2026-34219
## Description
### Summary
The Rust libp2p Gossipsub implementation contains a r
|
| 41 |
CVE-2026-29872
A cross-session information disclosure vulnerability exists in the awesome-llm-a
|
| 41 |
CVE-2026-33946
### Summary
The Ruby SDK's [streamable_http_transport.rb](https://github.com/mo
|
| 41 |
CVE-2026-34573
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 41 |
CVE-2026-32877
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0
|
| 41 |
CVE-2026-33508
### Impact
Parse Server's LiveQuery component does not enforce the `requestComp
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |