Total CVEs
1516
last 7 days
Avg Priority
32.1
of max 220
KEV
0
actively exploited
POC
186
public exploits
Unpatched
437
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Priority Distribution
| Priority | CVE |
|---|---|
| 67 |
CVE-2026-23696
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vul
|
| 66 |
CVE-2026-35022
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
|
| 66 |
CVE-2026-22679
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthentica
|
| 57 |
CVE-2025-13926
An attacker could use data obtained by sniffing the network traffic to
forge pa
|
| 56 |
CVE-2025-14815
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric
|
| 56 |
CVE-2025-14816
Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi El
|
| 51 |
CVE-2026-4149
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerabil
|
| 50 |
CVE-2026-39337
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical p
|
| 50 |
CVE-2025-54328
An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor,
|
| 50 |
CVE-2026-5059
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. Th
|
| 50 |
CVE-2026-5058
aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulne
|
| 50 |
CVE-2026-39355
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken ac
|
| 50 |
CVE-2026-40089
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The S
|
| 49 |
CVE-2026-4003
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalatio
|
| 49 |
CVE-2026-3535
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary
|
| 49 |
CVE-2026-1830
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution
|
| 49 |
CVE-2026-4631
Cockpit's remote login feature passes user-supplied hostnames and usernames from
|
| 49 |
CVE-2026-6057
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability
|
| 49 |
CVE-2026-0740
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary f
|
| 49 |
CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulner
|
| 49 |
CVE-2026-31059
A remote command execution (RCE) vulnerability in the /goform/formDia component
|
| 49 |
CVE-2026-31271
megagao production_ssm v1.0 contains an authorization bypass vulnerability in th
|
| 49 |
CVE-2026-33816
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
| 49 |
CVE-2026-30079
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state
|
| 49 |
CVE-2026-31272
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/m
|
| 49 |
CVE-2026-3296
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in
|
| 49 |
CVE-2026-31151
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypa
|
| 49 |
CVE-2026-33815
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
| 49 |
CVE-2025-52909
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
|
| 49 |
CVE-2025-62818
An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Mod
|
| 49 |
CVE-2025-52908
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
|
| 49 |
CVE-2026-5735
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of t
|
| 49 |
CVE-2026-2942
The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file u
|
| 49 |
CVE-2026-5731
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunder
|
| 49 |
CVE-2026-5734
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Fire
|
| 48 |
CVE-2026-39617
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bl
|
| 48 |
CVE-2026-39619
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busi
|
| 47 |
CVE-2026-39342
ChurchCRM is an open-source church management system. Prior to 7.1.0, the search
|
| 47 |
CVE-2026-33707
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, th
|
| 47 |
CVE-2026-35047
Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vul
|
| 47 |
CVE-2026-34078
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1
|
| 47 |
CVE-2026-40035
dfir-unfurl through 20250810 contains an improper input validation vulnerability
|
| 47 |
CVE-2026-34977
Aperi'Solve is an open-source steganalysis web platform. Prior to 3.2.1, when up
|
| 47 |
CVE-2026-25776
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability
|
| 47 |
CVE-2026-39382
dbt enables data analysts and engineers to transform their data using the same p
|
| 47 |
CVE-2026-35614
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0,
|
| 47 |
CVE-2026-34580
Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::
|
| 46 |
CVE-2026-33698
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack
|
| 46 |
CVE-2026-33784
A Use of Default Password vulnerability in the Juniper Networks
Support Insigh
|
| 46 |
CVE-2026-31845
A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in
|
| 46 |
CVE-2026-35178
Workbench is a suite of tools for administrators and developers to interact with
|
| 46 |
CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-st
|
| 46 |
CVE-2025-39666
Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46
|
| 46 |
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces
|
| 46 |
CVE-2026-39322
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and ea
|
| 46 |
CVE-2026-28205
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Def
|
| 46 |
CVE-2026-35556
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that
|
| 46 |
CVE-2026-35573
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path tra
|
| 46 |
CVE-2026-39339
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critica
|
| 46 |
CVE-2025-71058
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses withou
|
| 46 |
CVE-2026-26026
GLPI is a free asset and IT management software package. From 11.0.0 to before 1
|
| 46 |
CVE-2026-5627
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up
|
| 46 |
CVE-2026-31017
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format fu
|
| 46 |
CVE-2025-58349
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, a
|
| 46 |
CVE-2025-69515
An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attack
|
| 46 |
CVE-2026-35050
text-generation-webui is an open-source web interface for running Large Language
|
| 46 |
CVE-2026-32892
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Ch
|
| 46 |
CVE-2026-33771
A Weak Password Requirements vulnerability in the password management function o
|
| 46 |
CVE-2026-35174
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path tra
|
| 46 |
CVE-2026-39980
OpenCTI is an open source platform for managing cyber threat intelligence knowle
|
| 45 |
CVE-2026-39860
Nix is a package manager for Linux and other Unix systems. A bug in the fix for
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1724d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2227d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 997d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3752d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 899d |