Total CVEs
17679
last 90 days
Avg Priority
34.3
of max 220
KEV
31
actively exploited
POC
2298
public exploits
Unpatched
3539
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
Priority Distribution
| Priority | CVE |
|---|---|
| 141 |
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall M
|
| 136 |
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Capti
|
| 133 |
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0
|
| 127 |
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a
|
| 124 |
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through
|
| 120 |
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possi
|
| 119 |
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal
|
| 118 |
CVE-2026-45321
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicio
|
| 117 |
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised
|
| 117 |
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows b
|
| 117 |
CVE-2026-42208
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) fo
|
| 117 |
CVE-2026-8398
A supply chain attack compromised the official installation packages of DAEMON T
|
| 117 |
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when config
|
| 116 |
CVE-2026-48027
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious ver
|
| 90 |
CVE-2026-20079
A vulnerability in the web interface of Cisco Secure Firewall Management Center
|
| 82 |
CVE-2026-27971
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable
|
| 74 |
CVE-2026-39808
A improper neutralization of special elements used in an os command ('os command
|
| 71 |
CVE-2026-24105
An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.1
|
| 70 |
CVE-2026-28409
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a cr
|
| 70 |
CVE-2026-24898
OpenEMR is a free and open source electronic health records and medical practice
|
| 70 |
CVE-2026-26478
A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012
|
| 70 |
CVE-2026-24107
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the
|
| 70 |
CVE-2026-24101
An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_mul
|
| 70 |
CVE-2026-40887
## Summary
An unauthenticated SQL injection vulnerability exists in the Vendure
|
| 70 |
CVE-2026-27944
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.
|
| 70 |
CVE-2026-28289
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 70 |
CVE-2026-29128
IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration
|
| 70 |
CVE-2026-4689
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPC
|
| 70 |
CVE-2026-30957
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 70 |
CVE-2026-28794
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere t
|
| 70 |
CVE-2026-24848
OpenEMR is a free and open source electronic health records and medical practice
|
| 70 |
CVE-2026-30861
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 70 |
CVE-2026-28411
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an u
|
| 70 |
CVE-2026-29042
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Pri
|
| 70 |
CVE-2026-30860
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 70 |
CVE-2026-28775
An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP
|
| 70 |
CVE-2026-33309
### Summary
While reviewing the recent patch for **CVE-2025-68478** (External C
|
| 70 |
CVE-2026-30887
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 70 |
CVE-2026-30956
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 70 |
CVE-2026-30921
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 69 |
CVE-2026-2699
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthentica
|
| 69 |
CVE-2025-50187
Chamilo is a learning management system. Prior to version 1.11.28, parameter fro
|
| 69 |
CVE-2026-3485
A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub_1
|
| 69 |
CVE-2026-26720
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute ar
|
| 69 |
CVE-2025-66944
SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a r
|
| 69 |
CVE-2026-3584
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in al
|
| 69 |
CVE-2026-3703
A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_4
|
| 69 |
CVE-2026-27005
Chartbrew is an open-source web application that can connect directly to databas
|
| 69 |
CVE-2026-28292
`simple-git`, an interface for running git commands in any node.js application,
|
| 69 |
CVE-2026-25873
OmniGen2-RL contains an unauthenticated remote code execution vulnerability in t
|
| 69 |
CVE-2026-24118
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows atta
|
| 69 |
CVE-2026-22891
A heap-based buffer overflow vulnerability exists in the Intan CLP parsing funct
|
| 69 |
CVE-2025-70231
D-Link DIR-513 version 1.10 contains a critical-level vulnerability. When proces
|
| 69 |
CVE-2026-30821
Flowise is a drag & drop user interface to build a customized large language mod
|
| 69 |
CVE-2026-26956
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerab
|
| 69 |
CVE-2025-46108
D-link Dir-513 A1FW110 is vulnerable to Buffer Overflow in the function formTcpi
|
| 69 |
CVE-2025-70223
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70230
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70229
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70225
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curtime para
|
| 69 |
CVE-2025-70218
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via POST to the gofo
|
| 69 |
CVE-2025-70220
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70226
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70219
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the goform/formD
|
| 69 |
CVE-2025-70233
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70232
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70222
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70221
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2026-34935
### Summary
The `--mcp` CLI argument is passed directly to `shlex.split()` and
|
| 69 |
CVE-2026-24120
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix f
|
| 69 |
CVE-2026-32304
## Summary
The `create_function(args, code)` function passes both parameters di
|
| 69 |
CVE-2026-32248
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 69 |
CVE-2025-70234
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70236
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70240
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70237
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70239
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70241
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2026-4184
A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulne
|
| 69 |
CVE-2026-4183
A security vulnerability has been detected in D-Link DIR-816 1.10CNB05. Affected
|
| 69 |
CVE-2026-4182
A weakness has been identified in D-Link DIR-816 1.10CNB05. This impacts an unkn
|
| 69 |
CVE-2026-31072
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.1
|
| 69 |
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable u
|
| 69 |
CVE-2025-66678
An issue in the HwRwDrv.sys component of Nil Hardware Editor Hardware Read & Wri
|
| 69 |
CVE-2026-28408
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the
|
| 69 |
CVE-2026-24112
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24108
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24110
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may send over
|
| 69 |
CVE-2026-24109
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24115
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |
1 / 19
Next