Total CVEs
1345
last 7 days
Avg Priority
21.2
of max 220
KEV
1
actively exploited
POC
66
public exploits
Unpatched
231
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
Priority Distribution
| Priority | CVE |
|---|---|
| 44 |
CVE-2025-41670
A local user with low privileges may be able to influence the behavior of a priv
|
| 44 |
CVE-2026-44739
### Summary
The columnConfigAction endpoint in the CustomReportsBundle is vulner
|
| 44 |
CVE-2026-28445
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButto
|
| 44 |
CVE-2026-25606
A SQL injection vulnerability has been identified in STER. Improper neutralizati
|
| 44 |
CVE-2026-35089
In Slican telephone exchanges secure key is generated in a predictable manner us
|
| 44 |
CVE-2026-44830
Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Serv
|
| 44 |
CVE-2026-35672
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.
|
| 44 |
CVE-2026-8697
Due to improper enforcement of authentication rate-limiting on a debug SSH servi
|
| 44 |
CVE-2026-47074
Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, E
|
| 44 |
CVE-2026-47762
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, t
|
| 44 |
CVE-2026-47761
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, t
|
| 44 |
CVE-2026-45041
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta
|
| 44 |
CVE-2026-47759
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, t
|
| 44 |
CVE-2026-42197
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd
|
| 44 |
CVE-2026-47760
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE
|
| 44 |
CVE-2026-49128
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulne
|
| 44 |
CVE-2026-35671
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability
|
| 43 |
CVE-2026-42737
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 43 |
CVE-2025-30028
A vulnerability in Active Backup for Business allows unauthorized remote attacke
|
| 43 |
CVE-2026-42089
### Impact
`yeoman-environment` versions `>= 2.9.0` and `< 6.0.1` install missi
|
| 43 |
CVE-2026-44465
Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when
|
| 43 |
CVE-2026-44463
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system ca
|
| 43 |
CVE-2026-9038
A stack-based buffer overflow vulnerability in the charging controller’s signal-
|
| 43 |
CVE-2026-44461
Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a
|
| 43 |
CVE-2026-44466
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system ca
|
| 43 |
CVE-2026-32997
A vulnerability allowing an authenticated user with the Backup Administrator rol
|
| 43 |
CVE-2026-8652
An OS Command Injection vulnerability exists in Aterm. If a malicious third pers
|
| 43 |
CVE-2026-3515
A vulnerability in the `GitHubRepository` block of the `prefect-github` integrat
|
| 43 |
CVE-2026-42730
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 43 |
CVE-2026-9489
NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulner
|
| 43 |
CVE-2026-9789
A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense softwar
|
| 42 |
CVE-2026-48153
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the
|
| 42 |
CVE-2026-46820
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Busine
|
| 42 |
CVE-2026-33590
Insecure default settings of Portainer CE grant regular (non-admin) users privil
|
| 42 |
CVE-2026-5509
An authenticated command injection vulnerability exists in the Archer BE450 v1 a
|
| 42 |
CVE-2026-49046
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 42 |
CVE-2026-46717
## Summary
nezha's dashboard supports two user roles: `RoleAdmin` (Role==0) and
|
| 42 |
CVE-2025-48977
Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated
|
| 42 |
CVE-2026-40851
A local attacker can perform a confusion attack on the cfgparser via a specially
|
| 42 |
CVE-2026-49238
An issue was discovered in Canonical Multipass before version 1.16.3. The host-s
|
| 42 |
CVE-2026-7365
IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Anal
|
| 42 |
CVE-2026-46345
**Relevant Products/Components:**
* `trestle/core/commands/author/jinja.py`
* `
|
| 42 |
CVE-2026-45108
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune.
|
| 42 |
CVE-2026-7766
Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An
|
| 42 |
CVE-2025-70116
A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 fi
|
| 42 |
CVE-2026-9807
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9
|
| 42 |
CVE-2026-41160
EspoCRM is an open source customer relationship management application. Prior to
|
| 41 |
CVE-2026-9284
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthoriz
|
| 41 |
CVE-2026-47077
Allocation of Resources Without Limits or Throttling vulnerability in benoitc ha
|
| 41 |
CVE-2026-42735
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic
|
| 41 |
CVE-2026-44712
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 41 |
CVE-2026-5843
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM librar
|
| 41 |
CVE-2026-5817
The vllm-metal inference backend in Docker Model Runner on macOS unconditionally
|
| 41 |
CVE-2026-4868
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 bef
|
| 41 |
CVE-2026-5260
A flaw was found in libgnutls. A remote attacker, by sending an extremely short
|
| 41 |
CVE-2026-44358
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflo
|
| 41 |
CVE-2026-42013
A flaw was found in gnutls. When validating certificates, an oversized Subject A
|
| 41 |
CVE-2026-46727
An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a us
|
| 41 |
CVE-2026-8994
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass
|
| 41 |
CVE-2026-41076
RT is an open source, enterprise-grade issue and ticket tracking system. Version
|
| 41 |
CVE-2026-46402
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 41 |
CVE-2026-48064
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 41 |
CVE-2025-13392
Improper check for unusual or exceptional conditions vulnerability in SSO in Syn
|
| 41 |
CVE-2026-48149
Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text
|
| 40 |
CVE-2026-48152
Budibase is an open-source low-code platform. Prior to 3.39.0, the single-dataso
|
| 40 |
CVE-2026-40172
authentik is an open-source identity provider. In versions prior to 2025.12.5 an
|
| 40 |
CVE-2026-45344
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the s
|
| 40 |
CVE-2026-46828
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (componen
|
| 40 |
CVE-2026-45260
### Summary
Pimcore's WebDAV asset endpoint exposes a `MOVE` operation through `
|
| 40 |
CVE-2026-9095
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions withou
|
| 40 |
CVE-2026-9256
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_mo
|
| 40 |
CVE-2026-35277
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 40 |
CVE-2026-9277
shell-quote's `quote()` function did not validate object-token inputs against th
|
| 40 |
CVE-2026-6455
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Sit
|
| 40 |
CVE-2026-3012
A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. W
|
| 40 |
CVE-2026-6957
Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from fed
|
| 40 |
CVE-2026-45162
# GM-374
## Summary
Multiple locations in Pimcore v11 call PHP's `unserialize()
|
| 40 |
CVE-2026-37266
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows
|
| 40 |
CVE-2026-44711
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 40 |
CVE-2026-35266
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 39 |
CVE-2025-69600
Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to ex
|
| 39 |
CVE-2026-45322
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 39 |
CVE-2026-44709
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 39 |
CVE-2026-9255
Missing input source validation in the tool authorization prompt in Kiro CLI bef
|
| 39 |
CVE-2025-43306
A logic issue was addressed with improved checks. This issue is fixed in macOS S
|
| 39 |
CVE-2026-49237
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 d
|
| 39 |
CVE-2026-38945
Command injection in Raynet rvia version 12.6 Update 8 and previous versions all
|
| 39 |
CVE-2026-3623
IBM Netezza Performance Server Replication Services 3.0.2.0 through 3.0.5.0 allo
|
| 39 |
CVE-2026-46439
A High severity Server-Side Template Injection (SSTI) vulnerability exists in th
|
| 39 |
CVE-2026-47331
Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock wh
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |