Total CVEs
6202
last 30 days
Avg Priority
31.3
of max 220
KEV
14
actively exploited
POC
495
public exploits
Unpatched
938
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
118
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 4
117
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1
117
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows v
Priority Distribution
| Priority | CVE |
|---|---|
| 127 |
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a
|
| 116 |
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious ver
|
| 69 |
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable u
|
| 67 |
CVE-2026-41922
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41923
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2025-71284
Synway SMG Gateway Management Software contains an OS command injection vulnerab
|
| 67 |
CVE-2026-41925
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41926
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41924
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows
|
| 66 |
CVE-2026-24444
SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 con
|
| 66 |
CVE-2026-31071
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack au
|
| 50 |
CVE-2026-38360
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.
|
| 50 |
CVE-2026-42288
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix fo
|
| 50 |
CVE-2026-37541
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.00
|
| 50 |
CVE-2026-6213
A vulnerability in Remote Spark SparkView before build 1122 allows an attacker t
|
| 50 |
CVE-2026-42369
GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surve
|
| 50 |
CVE-2026-45829
A pre-authentication, code injection vulnerability in version 1.0.0 or later of
|
| 50 |
CVE-2026-42298
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Re
|
| 50 |
CVE-2026-9152
A missing authentication vulnerability exists in the Altium 365 SearchService. A
|
| 50 |
CVE-2026-45444
Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift
|
| 50 |
CVE-2026-3325
SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” par
|
| 50 |
CVE-2026-33712
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview cha
|
| 50 |
CVE-2026-20223
A vulnerability in the access validation of internal REST APIs of Cisco Sec
|
| 50 |
CVE-2026-36767
A path traversal vulnerability in the /content/images/add endpoint of shopizer v
|
| 50 |
CVE-2026-46412
## Summary
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compr
|
| 50 |
CVE-2026-46840
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). S
|
| 50 |
CVE-2026-42364
An os command injection vulnerability exists in the DdnsSetting.cgi functionalit
|
| 50 |
CVE-2026-42454
Termix is a web-based server management platform with SSH terminal, tunneling, a
|
| 50 |
CVE-2026-42368
A privilege escalation vulnerability exists in the Web Interface functionality o
|
| 50 |
CVE-2026-42757
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 50 |
CVE-2026-42748
Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo
|
| 50 |
CVE-2025-69691
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exe
|
| 50 |
CVE-2026-34659
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deser
|
| 50 |
CVE-2026-46775
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 50 |
CVE-2026-46839
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 50 |
CVE-2026-42756
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 50 |
CVE-2026-46822
Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (componen
|
| 50 |
CVE-2026-46824
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Su
|
| 50 |
CVE-2026-9645
Exposed methods allow authenticated users to create and execute arbitrary JavaSc
|
| 49 |
CVE-2026-5229
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in v
|
| 49 |
CVE-2026-42302
FastGPT is an AI Agent building platform. From version 4.14.10 to before version
|
| 49 |
CVE-2026-7304
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote co
|
| 49 |
CVE-2026-6555
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File U
|
| 49 |
CVE-2026-37539
Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parse
|
| 49 |
CVE-2026-5722
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass
|
| 49 |
CVE-2026-7567
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass
|
| 49 |
CVE-2026-5294
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in ver
|
| 49 |
CVE-2026-31226
The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-
|
| 49 |
CVE-2026-31234
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502)
|
| 49 |
CVE-2026-7637
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions
|
| 49 |
CVE-2026-37531
AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerabi
|
| 49 |
CVE-2026-38567
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints
|
| 49 |
CVE-2026-6279
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthe
|
| 49 |
CVE-2026-24207
NVIDIA Triton Inference Server contains a vulnerability where an attacker could
|
| 49 |
CVE-2026-42374
D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet b
|
| 49 |
CVE-2026-7284
The Easy Elements for Elementor - Addons & Website Templates plugin for WordPres
|
| 49 |
CVE-2025-13618
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all
|
| 49 |
CVE-2026-7458
The User Verification by PickPlugins plugin for WordPress is vulnerable to authe
|
| 49 |
CVE-2026-4882
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbi
|
| 49 |
CVE-2026-4885
The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbit
|
| 49 |
CVE-2026-42376
D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded tel
|
| 49 |
CVE-2026-31229
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deseri
|
| 49 |
CVE-2026-31214
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 00
|
| 49 |
CVE-2026-31237
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-
|
| 49 |
CVE-2026-42375
D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet b
|
| 49 |
CVE-2026-42373
D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded tel
|
| 49 |
CVE-2026-31233
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its
|
| 49 |
CVE-2026-31231
Cognee thru v0.4.0 contains a critical remote code execution vulnerability in it
|
| 49 |
CVE-2026-31228
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code exec
|
| 49 |
CVE-2025-14320
Improper neutralization of input during web page generation ('cross-site scripti
|
| 49 |
CVE-2026-7301
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0
|
| 49 |
CVE-2026-26083
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0
|
| 49 |
CVE-2026-44277
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, Fo
|
| 49 |
CVE-2026-42758
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias Webinar
|
| 49 |
CVE-2026-31220
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remot
|
| 49 |
CVE-2026-8500
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.
Web::Passwd is
|
| 49 |
CVE-2026-42472
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The se
|
| 49 |
CVE-2026-42473
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The se
|
| 49 |
CVE-2026-31070
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticat
|
| 49 |
CVE-2026-32253
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2
|
| 49 |
CVE-2026-7415
The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymo
|
| 49 |
CVE-2026-43992
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-securit
|
| 49 |
CVE-2025-63706
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
|
| 49 |
CVE-2026-30118
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SS
|
| 49 |
CVE-2026-38429
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin I
|
| 49 |
CVE-2025-67887
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with
|
| 49 |
CVE-2026-30496
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) e
|
| 49 |
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-
|
| 49 |
CVE-2026-31235
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |
1 / 3
Next