Security Dashboard

7d 14d 30d 90d
Total CVEs
1503
last 7 days
Avg Priority
32.1
of max 220
KEV
0
actively exploited
POC
184
public exploits
Unpatched
431
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
26 CVE-2026-4420
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its page creating f
26 CVE-2026-22675
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scr
26 CVE-2026-33865
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsi
26 CVE-2026-34951
Workbench is a suite of tools for administrators and developers to interact with
26 CVE-2026-39840
Improper neutralization of input during web page generation ('cross-site scripti
26 CVE-2026-35475
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect
26 CVE-2026-35396
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
26 CVE-2026-35473
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
26 CVE-2026-35398
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
26 CVE-2026-35472
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redi
26 CVE-2026-35474
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirec
26 CVE-2026-33456
Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.
26 CVE-2026-33273
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2
26 CVE-2026-39347
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
26 CVE-2026-6107
A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some u
26 CVE-2026-27787
Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If th
26 CVE-2026-35613
coursevault-preview is a utility for previewing course material files from a con
26 CVE-2025-14858
The Semtech LR11xx LoRa transceivers running early versions of firmware contains
26 CVE-2026-5987
A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d
26 CVE-2026-35659
OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT m
26 CVE-2026-21904
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
26 CVE-2026-34757
LIBPNG is a reference library for use in applications that read, create, and man
26 CVE-2026-3438
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Reposito
26 CVE-2026-35634
OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the
26 CVE-2026-40028
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerabil
25 CVE-2026-4979
The UsersWP - Front-end login form, User Registration, User Profile & Members Di
25 CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.
25 CVE-2026-5704
A flaw was found in tar. A remote attacker could exploit this vulnerability by c
25 CVE-2026-35516
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkR
25 CVE-2026-39880
Remnawave Backend is the backend for the Remnawave proxy and user management sol
25 CVE-2026-39881
Vim is an open source, command line text editor. Prior to 9.2.0316, a command in
25 CVE-2026-39411
# Summary The `webapi` authentication layer trusts a client-controlled `X-lobe-
25 CVE-2026-34972
OpenFGA is a high-performance and flexible authorization/permission engine built
25 CVE-2026-39631
Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolp
24 CVE-2026-24147
NVIDIA Triton Inference Server contains a vulnerability in triton server where a
24 CVE-2026-5647
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affect
24 CVE-2026-35571
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache n
24 CVE-2026-6042
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the fu
24 CVE-2026-39391
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
24 CVE-2026-40025
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in th
24 CVE-2026-40026
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in th
24 CVE-2026-39410
## Summary A discrepancy between browser cookie parsing and `parse()` handling
24 CVE-2026-35206
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 a
24 CVE-2026-4406
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scr
24 CVE-2026-35404
Open edX Platform enables the authoring and delivery of online learning at any s
24 CVE-2026-40223
In systemd 258 before 260, a local unprivileged user can trigger an assert when
24 CVE-2026-32932
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
23 CVE-2026-39345
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
23 CVE-2026-30613
An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16a
23 CVE-2026-31062
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
23 CVE-2026-31061
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
23 CVE-2026-31063
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
23 CVE-2026-31060
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
23 CVE-2026-31066
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
23 CVE-2026-31065
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
23 CVE-2026-31058
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
22 CVE-2026-5383
An issue that could allow access to Explorer groups from outside of the authoriz
22 CVE-2026-5169
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored
22 CVE-2026-3574
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stor
22 CVE-2026-2838
The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Sto
22 CVE-2026-39864
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.
22 CVE-2026-24511
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 t
22 CVE-2026-4330
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vuln
22 CVE-2026-33227
Improper validation and restriction of a classpath path name vulnerability in Ap
22 CVE-2026-5918
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.
22 CVE-2026-5906
Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727
22 CVE-2026-35462
Papra is a minimalistic document management and archiving platform. Prior to 26.
22 CVE-2026-3568
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Ref
22 CVE-2026-4977
The UsersWP - Front-end login form, User Registration, User Profile & Members Di
22 CVE-2026-4057
The Download Manager plugin for WordPress is vulnerable to unauthorized modifica
22 CVE-2026-35460
Papra is a minimalistic document management and archiving platform. Prior to 26.
22 CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior
22 CVE-2026-3371
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
22 CVE-2026-20446
In sec boot, there is a possible out of bounds write due to an integer overflow.
22 CVE-2026-39592
Missing Authorization vulnerability in Andy Ha DEPART depart-deposit-and-part-pa
22 CVE-2026-39627
Missing Authorization vulnerability in wproyal Ashe ashe allows Exploiting Incor
22 CVE-2026-39565
Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-ma
22 CVE-2026-1924
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request
22 CVE-2026-39485
Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embe
22 CVE-2026-5911
Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed
22 CVE-2026-5875
Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote
22 CVE-2026-33005
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeeting
22 CVE-2026-4141
The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request
22 CVE-2026-1673
The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Plug
22 CVE-2026-1752
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 bef
22 CVE-2026-2104
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2
22 CVE-2026-35180
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the si
22 CVE-2026-35596
## Summary The `hasAccessToLabel` function contains a SQL operator precedence b
22 CVE-2026-40103
### Summary Vikunja's scoped API token enforcement for custom project backgroun
22 CVE-2026-33460
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 730d
CVE-2019-19781 CRITICAL 9.8 223 2298d
CVE-2020-5902 CRITICAL 9.8 223 2111d
CVE-2021-35464 CRITICAL 9.8 223 1725d
CVE-2020-10189 CRITICAL 9.8 223 2228d
CVE-2012-4681 CRITICAL 9.8 223 4976d
CVE-2022-42475 CRITICAL 9.8 223 1196d
CVE-2023-3519 CRITICAL 9.8 223 998d
CVE-2015-7450 CRITICAL 9.8 222 3753d
CVE-2023-34048 CRITICAL 9.8 222 900d
Prev 7 / 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy