Security Dashboard

7d 14d 30d 90d
Total CVEs
1524
last 7 days
Avg Priority
32.2
of max 220
KEV
0
actively exploited
POC
192
public exploits
Unpatched
437
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
67 CVE-2026-23696
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vul
66 CVE-2026-22679
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthentica
66 CVE-2026-35022
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
66 CVE-2026-39912
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication token
57 CVE-2025-13926
An attacker could use data obtained by sniffing the network traffic to forge pa
56 CVE-2025-14816
Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi El
56 CVE-2025-14815
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric
51 CVE-2026-4149
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerabil
50 CVE-2026-39337
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical p
50 CVE-2025-54328
An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor,
50 CVE-2026-5059
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. Th
50 CVE-2026-5058
aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulne
50 CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
50 CVE-2026-39355
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken ac
50 CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in th
50 CVE-2026-40089
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The S
50 CVE-2026-39888
## Summary `execute_code()` in `praisonaiagents.tools.python_tools` defaults to
49 CVE-2026-4003
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalatio
49 CVE-2026-39890
## Summary The `AgentService.loadAgentFromFile` method uses the `js-yaml` librar
49 CVE-2026-3535
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary
49 CVE-2026-1830
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution
49 CVE-2026-4631
Cockpit's remote login feature passes user-supplied hostnames and usernames from
49 CVE-2026-6057
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability
49 CVE-2026-0740
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary f
49 CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulner
49 CVE-2026-20889
A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functi
49 CVE-2026-20911
A heap-based buffer overflow vulnerability exists in the HuffTable::initval func
49 CVE-2026-21413
A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw
49 CVE-2026-31059
A remote command execution (RCE) vulnerability in the /goform/formDia component
49 CVE-2026-31271
megagao production_ssm v1.0 contains an authorization bypass vulnerability in th
49 CVE-2026-33816
Memory-safety vulnerability in github.com/jackc/pgx/v5.
49 CVE-2026-30079
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state
49 CVE-2026-31272
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/m
49 CVE-2026-3296
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in
49 CVE-2026-31040
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient
49 CVE-2025-62818
An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Mod
49 CVE-2026-31151
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypa
49 CVE-2025-52909
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
49 CVE-2026-33815
Memory-safety vulnerability in github.com/jackc/pgx/v5.
49 CVE-2026-35490
### Summary On 13 routes across 5 blueprint files, the `@login_optionally_requi
49 CVE-2026-4277
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4
49 CVE-2025-52908
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
49 CVE-2026-5735
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of t
49 CVE-2026-5731
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunder
49 CVE-2026-5734
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Fire
49 CVE-2026-2942
The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file u
48 CVE-2026-1115
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social f
48 CVE-2026-5874
Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a re
48 CVE-2026-39619
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busi
48 CVE-2026-39617
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bl
48 CVE-2026-40088
The `execute_command` function and workflow shell execution are exposed to user-
47 CVE-2026-39397
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual
47 CVE-2026-39342
ChurchCRM is an open-source church management system. Prior to 7.1.0, the search
47 CVE-2026-3199
A vulnerability in the task management component of Sonatype Nexus Repository ve
47 CVE-2026-40157
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the rec
47 CVE-2026-33707
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, th
47 CVE-2026-35047
Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vul
47 CVE-2026-34078
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1
47 CVE-2026-33439
## Summary OpenIdentityPlatform OpenAM 16.0.5 (and likely earlier versions) is
47 CVE-2026-40035
dfir-unfurl through 20250810 contains an improper input validation vulnerability
47 CVE-2026-34977
Aperi'Solve is an open-source steganalysis web platform. Prior to 3.2.1, when up
47 CVE-2026-25776
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability
47 CVE-2026-39382
dbt enables data analysts and engineers to transform their data using the same p
47 CVE-2026-35614
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0,
47 CVE-2026-39324
Rack::Session is a session management implementation for Rack. From 2.0.0 to bef
47 CVE-2026-34580
Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::
47 CVE-2026-1346
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
46 CVE-2026-40111
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks
46 CVE-2026-33784
A Use of Default Password vulnerability in the Juniper Networks Support Insigh
46 CVE-2026-40154
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remo
46 CVE-2025-39666
Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46
46 CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
46 CVE-2026-5194
Missing hash/digest size and OID checks allow digests smaller than allowed when
46 CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-st
46 CVE-2026-39987
## Summary Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal
46 CVE-2026-33698
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack
46 CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces
46 CVE-2026-40177
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run pr
46 CVE-2026-31845
A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in
46 CVE-2026-35178
Workbench is a suite of tools for administrators and developers to interact with
46 CVE-2026-35615
### Executive Summary: The path validation has a critical logic bug: it checks f
46 CVE-2026-39322
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and ea
46 CVE-2026-28205
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Def
46 CVE-2026-35556
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that
46 CVE-2026-35573
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path tra
46 CVE-2026-34177
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLo
46 CVE-2026-39339
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critica
46 CVE-2026-34179
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in
46 CVE-2025-71058
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses withou
46 CVE-2026-39847
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 730d
CVE-2019-19781 CRITICAL 9.8 223 2298d
CVE-2020-5902 CRITICAL 9.8 223 2110d
CVE-2021-35464 CRITICAL 9.8 223 1724d
CVE-2020-10189 CRITICAL 9.8 223 2227d
CVE-2012-4681 CRITICAL 9.8 223 4975d
CVE-2022-42475 CRITICAL 9.8 223 1196d
CVE-2023-3519 CRITICAL 9.8 223 997d
CVE-2015-7450 CRITICAL 9.8 222 3752d
CVE-2023-34048 CRITICAL 9.8 222 899d
1 / 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy