Total CVEs
5757
last 30 days
Avg Priority
34.0
of max 220
KEV
6
actively exploited
POC
799
public exploits
Unpatched
1581
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-35549
An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x
|
| 33 |
CVE-2026-32733
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a
|
| 33 |
CVE-2026-21886
OpenCTI is an open source platform for managing cyber threat intelligence knowle
|
| 33 |
CVE-2025-67115
A path traversal vulnerability in /ftl/web/setup.cgi in Small Cell Sercomm SCE42
|
| 33 |
CVE-2026-2375
The App Builder - Create Native Android & iOS Apps On The Flight plugin for Word
|
| 33 |
CVE-2026-33148
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 33 |
CVE-2026-33693
### Summary
The `v4_is_invalid()` function in `activitypub-federation-rust` (`s
|
| 33 |
CVE-2026-26940
Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion vi
|
| 33 |
CVE-2026-32889
tinytag is a Python library for reading audio file metadata. Version 2.2.0 allow
|
| 33 |
CVE-2026-33528
## Summary
The file content API endpoint at `/api/v1/file/content` is vulnerabl
|
| 33 |
CVE-2025-10736
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 33 |
CVE-2026-33983
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 33 |
CVE-2026-2950
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti
|
| 33 |
CVE-2026-30891
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 33 |
CVE-2026-32941
# Summary
A Remote OOM (Out-of-Memory) vulnerability exists in the Sliver C2 ser
|
| 33 |
CVE-2026-1710
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnera
|
| 33 |
CVE-2025-14716
Improper Authentication vulnerability in Secomea GateManager (webserver modules)
|
| 33 |
CVE-2026-33474
## Summary
- Vulnerability: Unbounded image decoding and resizing during preview
|
| 33 |
CVE-2026-27522
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerabi
|
| 33 |
CVE-2026-33022
### Summary
A user with permission to create or update a TaskRun or PipelineRun
|
| 33 |
CVE-2026-34939
### Summary
`MCPToolIndex.search_tools()` compiles a caller-supplied string dir
|
| 33 |
CVE-2026-22320
A stack-based buffer overflow in the CLI's TFTP file‑transfer command handling a
|
| 33 |
CVE-2026-22178
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unes
|
| 33 |
CVE-2026-27935
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 33 |
CVE-2026-3138
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to
|
| 33 |
CVE-2026-30662
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File
|
| 33 |
CVE-2026-33438
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 33 |
CVE-2026-33743
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 33 |
CVE-2026-33541
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Sa
|
| 33 |
CVE-2026-33428
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 33 |
CVE-2026-34531
## Summary
In a situation where the client makes a request to a token protected
|
| 33 |
CVE-2026-27397
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple
|
| 33 |
CVE-2026-4004
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execu
|
| 33 |
CVE-2026-5025
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticat
|
| 33 |
CVE-2026-2369
A flaw was found in libsoup. An integer underflow vulnerability occurs when proc
|
| 33 |
CVE-2026-26004
Sentry is a developer-first error tracking and performance monitoring tool. Vers
|
| 33 |
CVE-2026-34500
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 33 |
CVE-2026-23487
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there
|
| 33 |
CVE-2026-5876
Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7
|
| 33 |
CVE-2026-25936
GLPI is a free Asset and IT management software package. Starting in version 11.
|
| 33 |
CVE-2026-5283
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 a
|
| 33 |
CVE-2026-39848
Dockyard is a Docker container management app. Prior to 1.1.0, Docker container
|
| 33 |
CVE-2024-14028
Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webse
|
| 33 |
CVE-2025-55043
MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation fun
|
| 33 |
CVE-2026-34378
OpenEXR provides the specification and reference implementation of the EXR file
|
| 33 |
CVE-2026-29905
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions t
|
| 33 |
CVE-2026-34890
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-34889
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-20665
This issue was addressed through improved state management. This issue is fixed
|
| 33 |
CVE-2026-32491
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-25355
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-25417
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-1267
IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized ac
|
| 33 |
CVE-2026-28879
A use-after-free issue was addressed with improved memory management. This issue
|
| 33 |
CVE-2026-32490
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2025-14807
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to HTT
|
| 33 |
CVE-2026-25465
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2025-62043
Improper neutralization of input during web page generation ('cross-site scripti
|
| 33 |
CVE-2026-31914
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-32521
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-34887
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-24370
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-5276
Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.1
|
| 33 |
CVE-2026-3114
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.
|
| 33 |
CVE-2026-5291
Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 a
|
| 33 |
CVE-2026-3480
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in a
|
| 33 |
CVE-2026-33886
### Impact
A control panel user with access to Antlers-enabled fields could acce
|
| 33 |
CVE-2026-29108
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 33 |
CVE-2026-1307
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPr
|
| 33 |
CVE-2026-33677
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 33 |
CVE-2026-4927
Exposure of sensitive information in the users MFA feature in Devolutions Server
|
| 33 |
CVE-2026-3021
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web applicatio
|
| 33 |
CVE-2026-33058
Kanboard is project management software focused on Kanban methodology. Versions
|
| 33 |
CVE-2026-33130
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 t
|
| 33 |
CVE-2026-5869
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a
|
| 33 |
CVE-2026-33355
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 33 |
CVE-2026-33417
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 33 |
CVE-2026-3079
The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Inj
|
| 33 |
CVE-2026-5864
Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed
|
| 33 |
CVE-2026-31865
### Impact
Elysia cookie can be overridden by prototype pollution , eg. `__proto
|
| 33 |
CVE-2026-23635
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior
|
| 33 |
CVE-2026-5867
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a
|
| 33 |
CVE-2026-2351
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in al
|
| 33 |
CVE-2026-4087
The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injectio
|
| 33 |
CVE-2026-39517
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39575
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39674
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-32008
OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation v
|
| 33 |
CVE-2026-39708
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-39508
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |