Total CVEs
16317
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3198
public exploits
Unpatched
4330
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 36 |
CVE-2026-5444
A heap buffer overflow vulnerability exists in the PAM image parsing logic. When
|
| 36 |
CVE-2026-1743
A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 0
|
| 36 |
CVE-2026-33723
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 36 |
CVE-2026-23919
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts
|
| 36 |
CVE-2025-13776
Multiple Finka programs use hard-coded Firebird database credentials (shared acr
|
| 36 |
CVE-2026-23325
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76:
|
| 36 |
CVE-2026-28482
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsan
|
| 36 |
CVE-2026-23269
In the Linux kernel, the following vulnerability has been resolved:
apparmor: v
|
| 36 |
CVE-2026-29643
XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae
|
| 36 |
CVE-2026-23327
In the Linux kernel, the following vulnerability has been resolved:
cxl/mbox: v
|
| 36 |
CVE-2026-24369
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploi
|
| 36 |
CVE-2026-5441
An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of
|
| 36 |
CVE-2026-34118
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2026-32501
Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-co
|
| 36 |
CVE-2026-34120
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2026-34119
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS
|
| 36 |
CVE-2025-55045
The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attacker
|
| 36 |
CVE-2026-23555
Any guest issuing a Xenstore command accessing a node using the
(illegal) node p
|
| 36 |
CVE-2026-33780
A Missing Release of Memory after Effective Lifetime vulnerability in the Layer
|
| 36 |
CVE-2026-26317
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhos
|
| 36 |
CVE-2026-32706
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The
|
| 36 |
CVE-2026-28477
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vu
|
| 36 |
CVE-2026-33781
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 36 |
CVE-2026-25960
vLLM is an inference and serving engine for large language models (LLMs). The SS
|
| 36 |
CVE-2026-34122
A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520W
|
| 36 |
CVE-2026-5053
NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. T
|
| 36 |
CVE-2025-59969
A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnera
|
| 36 |
CVE-2026-4590
A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted eleme
|
| 36 |
CVE-2026-33020
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. V
|
| 36 |
CVE-2025-54502
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM
|
| 36 |
CVE-2026-3622
The vulnerability exists in the UPnP component of TL-WR841N v14, where improper
|
| 36 |
CVE-2026-41057
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CO
|
| 36 |
CVE-2026-25640
Pydantic AI is a Python agent framework for building applications and workflows
|
| 36 |
CVE-2026-35444
SDL_image is a library to load images of various formats as SDL surfaces. In do_
|
| 36 |
CVE-2025-11791
Sensitive information disclosure and manipulation due to insufficient authorizat
|
| 36 |
CVE-2026-28281
InstantCMS is a free and open source content management system. Prior to 2.18.1,
|
| 36 |
CVE-2026-39973
Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 a
|
| 36 |
CVE-2026-1751
A vulnerability has been discovered in GitLab CE/EE affecting all versions start
|
| 36 |
CVE-2026-25571
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 36 |
CVE-2026-25572
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 36 |
CVE-2025-68153
Juju is an open source application orchestration engine that enables any applica
|
| 36 |
CVE-2025-14316
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise a
|
| 36 |
CVE-2026-33987
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 36 |
CVE-2026-33982
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 36 |
CVE-2026-28494
ImageMagick is free and open-source software used for editing and manipulating d
|
| 36 |
CVE-2026-35176
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-
|
| 36 |
CVE-2026-33019
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. V
|
| 36 |
CVE-2025-15396
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape so
|
| 36 |
CVE-2026-6066
ConnectWise has released a security update for ConnectWise Automate™ that addres
|
| 36 |
CVE-2026-33353
### Summary
An authorization flaw in `repo import` allows any authenticated SSH
|
| 36 |
CVE-2026-39959
Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer
|
| 36 |
CVE-2026-2915
HP System Event Utility might allow denial of service with elevated arbitrary fi
|
| 36 |
CVE-2026-25536
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol ser
|
| 36 |
CVE-2024-32537
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Playe
|
| 36 |
CVE-2026-20606
This issue was addressed by removing the vulnerable code. This issue is fixed in
|
| 36 |
CVE-2026-20641
A privacy issue was addressed with improved checks. This issue is fixed in watch
|
| 36 |
CVE-2025-36258
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user
|
| 36 |
CVE-2026-30926
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege e
|
| 36 |
CVE-2026-31846
An unauthenticated credential disclosure vulnerability in the /goform/ate endpoi
|
| 36 |
CVE-2026-34828
### Summary
A session management vulnerability allows previously issued authenti
|
| 36 |
CVE-2026-27115
ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below hav
|
| 36 |
CVE-2026-2368
An improper certificate validation vulnerability was reported in the Lenovo File
|
| 36 |
CVE-2026-20628
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 36 |
CVE-2025-47378
Cryptographic Issue when a shared VM reference allows HLOS to boot loader and ac
|
| 36 |
CVE-2026-33421
### Impact
Parse Server's LiveQuery WebSocket interface does not enforce Class-
|
| 36 |
CVE-2026-26103
A flaw was found in the udisks storage management daemon that exposes a privileg
|
| 36 |
CVE-2026-33330
FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.1
|
| 36 |
CVE-2026-39671
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin fo
|
| 36 |
CVE-2026-27144
The compiler is meant to unwrap pointers which are the operands of a memory move
|
| 36 |
CVE-2025-47400
Cryptographic issue while copying data to a destination buffer without validatin
|
| 36 |
CVE-2026-28548
Vulnerability of improper verification in the email application. Impact: Success
|
| 36 |
CVE-2026-4584
A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affe
|
| 36 |
CVE-2026-33252
The Go SDK's Streamable HTTP transport accepted browser-generated cross-site `PO
|
| 36 |
CVE-2025-47366
Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLO
|
| 36 |
CVE-2025-62676
An Improper Link Resolution Before File Access ('Link Following') vulnerability
|
| 36 |
CVE-2026-34992
### Impact
This is a missing encryption vulnerability (CWE-311) affecting inter-
|
| 36 |
CVE-2026-6855
A flaw was found in InstructLab. A local attacker could exploit a path traversal
|
| 36 |
CVE-2026-34414
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversa
|
| 36 |
CVE-2026-4315
A Cross-Site Request Forgery (CSRF) vulnerability in the WatchGuard Fireware OS
|
| 36 |
CVE-2026-35341
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modificat
|
| 36 |
CVE-2026-40518
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary
|
| 36 |
CVE-2026-35170
openFPGALoader is a utility for programming FPGAs. In 1.1.1 and earlier, a heap-
|
| 36 |
CVE-2026-41334
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image p
|
| 36 |
CVE-2026-41269
Flowise is a drag & drop user interface to build a customized large language mod
|
| 36 |
CVE-2026-41270
Flowise is a drag & drop user interface to build a customized large language mod
|
| 36 |
CVE-2026-41325
Kirby is an open-source content management system. Kirby's user permissions cont
|
| 36 |
CVE-2026-41359
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing
|
| 36 |
CVE-2026-3259
A Generation of Error Message Containing Sensitive Information vulnerability in
|
| 36 |
CVE-2026-41272
Flowise is a drag & drop user interface to build a customized large language mod
|
| 36 |
CVE-2026-41271
Flowise is a drag & drop user interface to build a customized large language mod
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 742d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4987d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3764d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |