Total CVEs
1343
last 7 days
Avg Priority
21.3
of max 220
KEV
1
actively exploited
POC
66
public exploits
Unpatched
234
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
Priority Distribution
| Priority | CVE |
|---|---|
| 30 |
CVE-2026-46538
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 30 |
CVE-2026-8673
Unprotected transport of credentials vulnerability in syslink software AG Avantr
|
| 30 |
CVE-2026-45027
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3,
|
| 30 |
CVE-2026-9793
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request
|
| 30 |
CVE-2026-3473
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.
|
| 29 |
CVE-2026-48999
Attackers carefully craft malicious scripts, such as JavaScript, and inject them
|
| 29 |
CVE-2026-48066
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 28 |
CVE-2026-47166
An attacker who can connect to a magick -distribute-cache service can cause a he
|
| 28 |
CVE-2026-44409
There is an an information disclosure vulnerability in ZTE MU5250. Due to improp
|
| 28 |
CVE-2026-25607
Use of a weak password encoding algorithm in STER software allows the value of t
|
| 28 |
CVE-2026-44839
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0
|
| 28 |
CVE-2025-68712
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacke
|
| 28 |
CVE-2026-48927
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, re
|
| 28 |
CVE-2026-9673
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable
|
| 28 |
CVE-2026-6051
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a deni
|
| 28 |
CVE-2026-6053
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a deni
|
| 28 |
CVE-2026-5515
IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitiv
|
| 28 |
CVE-2025-43289
A logic issue was addressed with improved validation. This issue is fixed in mac
|
| 28 |
CVE-2025-46280
An out-of-bounds read was addressed with improved bounds checking. This issue is
|
| 28 |
CVE-2025-46307
A logic issue was addressed with improved restrictions. This issue is fixed in m
|
| 28 |
CVE-2025-43451
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 28 |
CVE-2025-43290
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 28 |
CVE-2026-47332
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly
|
| 28 |
CVE-2026-47335
Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference
|
| 28 |
CVE-2026-9759
ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 al
|
| 28 |
CVE-2026-47326
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the h
|
| 28 |
CVE-2025-32751
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Se
|
| 28 |
CVE-2026-47334
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly
|
| 28 |
CVE-2026-47144
### Impact
A path traversal vulnerability in `shame next` allows an attacker-co
|
| 27 |
CVE-2026-6287
The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPr
|
| 27 |
CVE-2026-45335
WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redi
|
| 27 |
CVE-2025-13167
Improper neutralization of input during web page generation ('Cross-site Scripti
|
| 27 |
CVE-2026-48523
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there
|
| 27 |
CVE-2026-47120
## Summary
`createAlertRule` and `createService` (and their `update*` siblings)
|
| 27 |
CVE-2026-38931
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.ph
|
| 27 |
CVE-2025-3633
IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer
|
| 27 |
CVE-2026-28735
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.
|
| 27 |
CVE-2026-7798
The FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns,
|
| 27 |
CVE-2026-39964
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot view
|
| 27 |
CVE-2026-8381
A broken access
control vulnerability exists in the TeamViewer DEX Platform (On‑
|
| 27 |
CVE-2026-45023
AutoGPT is a workflow automation platform for creating, deploying, and managing
|
| 27 |
CVE-2026-9014
The WP Promoter plugin for WordPress is vulnerable to unauthorized modification
|
| 27 |
CVE-2026-48592
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.D
|
| 27 |
CVE-2026-7493
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin p
|
| 27 |
CVE-2026-38808
SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to o
|
| 27 |
CVE-2026-40127
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlle
|
| 27 |
CVE-2026-42337
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are v
|
| 27 |
CVE-2026-46544
Microsoft UFO open-source framework for intelligent automation across devices an
|
| 27 |
CVE-2026-46598
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malfor
|
| 27 |
CVE-2026-49001
Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a u
|
| 27 |
CVE-2026-39835
SSH servers which use CertChecker as a public key callback without setting IsUse
|
| 27 |
CVE-2026-46740
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric inject
|
| 26 |
CVE-2026-45410
TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing
|
| 26 |
CVE-2026-8684
The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization
|
| 26 |
CVE-2025-32749
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Informatio
|
| 26 |
CVE-2025-32747
Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege As
|
| 26 |
CVE-2026-44646
## Summary
`Context.spawn()` in liquidjs creates a child `Context` for the `{%
|
| 26 |
CVE-2026-42015
A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag elemen
|
| 26 |
CVE-2026-7254
IBM OPENBMC FW1110.00 through FW1110.11 is vulnerable to denial of service attac
|
| 26 |
CVE-2026-44838
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, Rabbit
|
| 26 |
CVE-2026-47119
Agent Zero before version 1.15 contains a stored cross-site scripting vulnerabil
|
| 26 |
CVE-2026-48148
Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB con
|
| 26 |
CVE-2026-4390
A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects
|
| 26 |
CVE-2026-7651
The User Registration & Membership - Free & Paid Memberships, Subscriptions, Con
|
| 26 |
CVE-2026-6937
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin p
|
| 26 |
CVE-2026-7552
The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all
|
| 26 |
CVE-2026-49053
Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite a
|
| 26 |
CVE-2026-6713
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2
|
| 26 |
CVE-2026-9794
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit thi
|
| 26 |
CVE-2026-9803
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauth
|
| 26 |
CVE-2026-8990
A user with physical access to a smartphone can bypass authentication mechanism
|
| 26 |
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cr
|
| 26 |
CVE-2026-47676
Hono is a Web application framework that provides support for any JavaScript run
|
| 26 |
CVE-2026-47674
Hono is a Web application framework that provides support for any JavaScript run
|
| 26 |
CVE-2026-48525
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when v
|
| 26 |
CVE-2026-45040
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta
|
| 26 |
CVE-2026-41178
### Summary
https://github.com/open-telemetry/opentelemetry-go/pull/7880 remove
|
| 26 |
CVE-2026-46841
Vulnerability in Oracle REST Data Services (component: General). Supported vers
|
| 26 |
CVE-2026-46842
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 26 |
CVE-2026-46843
Vulnerability in Oracle REST Data Services (component: Core). Supported version
|
| 26 |
CVE-2026-46830
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported ver
|
| 26 |
CVE-2026-33463
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can
|
| 26 |
CVE-2026-49299
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural polic
|
| 26 |
CVE-2026-9274
This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of
|
| 26 |
CVE-2025-68709
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local atta
|
| 26 |
CVE-2026-42336
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are v
|
| 26 |
CVE-2026-44598
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'
|
| 26 |
CVE-2026-47271
pam_usb provides hardware authentication for Linux using ordinary removable medi
|
| 26 |
CVE-2026-47104
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerabilit
|
| 26 |
CVE-2026-42250
bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |