Security Dashboard

7d 14d 30d 90d
Total CVEs
1515
last 7 days
Avg Priority
32.0
of max 220
KEV
0
actively exploited
POC
181
public exploits
Unpatched
438
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
32 CVE-2026-40226
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can oc
32 CVE-2025-57853
A container privilege escalation flaw was found in certain Web Terminal images.
32 CVE-2026-5711
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site
32 CVE-2025-57854
A container privilege escalation flaw was found in certain OpenShift Update Serv
32 CVE-2026-5451
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cros
32 CVE-2025-57175
Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a
32 CVE-2026-2509
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-S
32 CVE-2025-58713
A container privilege escalation flaw was found in certain Red Hat Process Autom
32 CVE-2025-57847
A container privilege escalation flaw was found in certain Ansible Automation Pl
32 CVE-2025-57851
A container privilege escalation flaw was found in certain Multicluster Engine f
32 CVE-2026-39859
`liquidjs` 10.25.0 documents `root` as constraining filenames passed to `renderF
32 CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, r
32 CVE-2026-28810
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP ker
32 CVE-2026-39841
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
32 CVE-2026-39837
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
32 CVE-2026-39839
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
32 CVE-2026-5460
A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC
32 CVE-2026-34371
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat
32 CVE-2026-39321
Parse Server is an open source backend that can be deployed to any infrastructur
32 CVE-2026-5622
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected
32 CVE-2026-35515
### Impact _What kind of vulnerability is it? Who is impacted?_ [`SseStream._tr
32 CVE-2026-40074
SvelteKit is a framework for rapidly developing robust, performant web applicati
32 CVE-2026-34481
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/j
32 CVE-2026-40023
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cx
32 CVE-2026-5724
The frontend gRPC server's streaming interceptor chain did not include the autho
32 CVE-2026-33458
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to informa
32 CVE-2026-5447
Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion.
32 CVE-2026-35623
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webh
32 CVE-2026-35635
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerabilit
32 CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68
32 CVE-2026-35649
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that
32 CVE-2026-35656
OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the
32 CVE-2026-34985
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
32 CVE-2026-5302
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthentica
32 CVE-2026-40021
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configurat
32 CVE-2026-39409
## Summary `ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addr
32 CVE-2026-5393
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algo
32 CVE-2026-39862
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affec
32 CVE-2026-35165
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web app
32 CVE-2026-5682
A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Andro
32 CVE-2026-35628
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Tele
32 CVE-2026-35646
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulner
32 CVE-2026-33785
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on
32 CVE-2026-5504
A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an at
31 CVE-2026-35480
The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preall
31 CVE-2026-33817
Index out-of-range when encountering a branch page with zero elements in go.etcd
31 CVE-2026-35406
### Impact A truncated TCP DNS query followed by a connection reset causes aard
31 CVE-2026-0049
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent de
31 CVE-2025-13044
IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names,
31 CVE-2026-32146
Improper path validation vulnerability in the Gleam compiler's handling of git d
31 CVE-2026-31053
A double free vulnerability exists in librz/bin/format/le/le.c in the function l
31 CVE-2026-40227
In systemd 260 before 261, a local unprivileged user can trigger an assert via a
31 CVE-2026-40115
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe
31 CVE-2026-40117
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file
31 CVE-2026-33753
### Summary An Authorization Bypass vulnerability in `rfc3161-client`'s signatu
31 CVE-2026-5226
The Optimole - Optimize Images in Real Time plugin for WordPress is vulnerable t
31 CVE-2026-4394
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Script
31 CVE-2026-33403
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
31 CVE-2026-4305
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable t
31 CVE-2026-39335
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is S
31 CVE-2026-39336
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored c
31 CVE-2025-61166
An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect
31 CVE-2025-70844
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject
31 CVE-2025-63238
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15
31 CVE-2026-35491
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics fo
31 CVE-2026-25854
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in
30 CVE-2025-70797
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remot
30 CVE-2026-35199
SymCrypt is the core cryptographic function library currently used by Windows. F
30 CVE-2026-35645
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the g
30 CVE-2025-45806
A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha
30 CVE-2026-39315
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() i
30 CVE-2026-35195
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
30 CVE-2026-35186
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and
30 CVE-2026-34765
### Impact When a renderer calls `window.open()` with a target name, Electron di
30 CVE-2026-1079
A native messaging host vulnerability in Pega Browser Extension (PBE) affects us
30 CVE-2026-39670
Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview v
30 CVE-2026-5525
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in
30 CVE-2026-5446
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identic
30 CVE-2026-35670
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that a
30 CVE-2026-3446
When calling base64.b64decode() or related functions the decoding process would
30 CVE-2026-5774
Improper synchronization of the userTokens map in the API server in Canonical Ju
30 CVE-2026-35622
OpenClaw before 2026.3.22 contains an improper authentication verification vulne
30 CVE-2026-35658
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in
30 CVE-2026-35407
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.
30 CVE-2026-34380
OpenEXR provides the specification and reference implementation of the EXR file
30 CVE-2026-39541
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
30 CVE-2026-39615
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
30 CVE-2026-5376
An issue that could prevent session inactivity timeouts from triggering due to a
30 CVE-2026-39408
## Summary A path traversal issue in `toSSG()` allows files to be written outsi
30 CVE-2026-5295
A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 730d
CVE-2019-19781 CRITICAL 9.8 223 2298d
CVE-2020-5902 CRITICAL 9.8 223 2111d
CVE-2021-35464 CRITICAL 9.8 223 1725d
CVE-2020-10189 CRITICAL 9.8 223 2228d
CVE-2012-4681 CRITICAL 9.8 223 4975d
CVE-2022-42475 CRITICAL 9.8 223 1196d
CVE-2023-3519 CRITICAL 9.8 223 998d
CVE-2015-7450 CRITICAL 9.8 222 3753d
CVE-2023-34048 CRITICAL 9.8 222 900d
Prev 4 / 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy