Total CVEs
16521
last 90 days
Avg Priority
36.3
of max 220
KEV
40
actively exploited
POC
3203
public exploits
Unpatched
4325
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 35 |
CVE-2026-34722
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 35 |
CVE-2026-40299
next-intl provides internationalization for Next.js. Applications using the `nex
|
| 35 |
CVE-2026-1612
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that a
|
| 35 |
CVE-2026-32924
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where F
|
| 35 |
CVE-2026-31838
Istio is an open platform to connect, manage, and secure microservices. Prior to
|
| 35 |
CVE-2026-32853
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap
|
| 35 |
CVE-2026-22815
### Summary
Insufficient restrictions in header/trailer handling could cause un
|
| 35 |
CVE-2026-28256
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer S
|
| 35 |
CVE-2026-34443
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 35 |
CVE-2026-35661
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Tele
|
| 35 |
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in inte
|
| 35 |
CVE-2026-35665
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where th
|
| 35 |
CVE-2026-34426
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerabili
|
| 35 |
CVE-2026-32326
SHARP routers do not perform authentication for some web APIs. The device inform
|
| 35 |
CVE-2026-4901
Hydrosystem Control System saves sensitive information into a log file. Critical
|
| 35 |
CVE-2026-40343
### Summary
A fail-open request handling flaw in the UDR service causes the `/nu
|
| 35 |
CVE-2026-6105
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7
|
| 35 |
CVE-2026-5346
A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is
|
| 35 |
CVE-2026-5536
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the fu
|
| 35 |
CVE-2026-35655
OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP per
|
| 35 |
CVE-2026-40104
### Impact
REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCod
|
| 35 |
CVE-2026-41331
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Teleg
|
| 35 |
CVE-2026-41457
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability
|
| 35 |
CVE-2026-34235
PJSIP is a free and open source multimedia communication library written in C. P
|
| 35 |
CVE-2026-33700
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 35 |
CVE-2026-4990
A security vulnerability has been detected in chatwoot up to 4.11.1. The affecte
|
| 35 |
CVE-2026-33576
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels
|
| 35 |
CVE-2026-34504
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability i
|
| 35 |
CVE-2026-35383
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source o
|
| 35 |
CVE-2026-23943
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in
|
| 35 |
CVE-2026-5736
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unk
|
| 35 |
CVE-2026-4955
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44.
|
| 35 |
CVE-2026-5195
A flaw has been found in code-projects Student Membership System 1.0. This issue
|
| 35 |
CVE-2026-5150
A security vulnerability has been detected in code-projects Accounting System 1.
|
| 35 |
CVE-2026-5237
A security flaw has been discovered in itsourcecode Payroll Management System 1.
|
| 35 |
CVE-2026-5824
A security vulnerability has been detected in code-projects Simple Laundry Syste
|
| 35 |
CVE-2026-5238
A weakness has been identified in itsourcecode Payroll Management System 1.0. Af
|
| 35 |
CVE-2026-5813
A weakness has been identified in PHPGurukul Online Course Registration 3.1. Thi
|
| 35 |
CVE-2026-4615
A vulnerability was identified in SourceCodester Online Catering Reservation 1.0
|
| 35 |
CVE-2026-41459
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosur
|
| 35 |
CVE-2026-5256
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5257
A vulnerability has been found in code-projects Simple Laundry System 1.0. This
|
| 35 |
CVE-2026-5648
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5334
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Imp
|
| 35 |
CVE-2026-31927
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows pat
|
| 35 |
CVE-2026-27697
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-6437
Improper neutralization of argument delimiters in the volume handling component
|
| 35 |
CVE-2026-33773
An Incorrect Initialization of Resource vulnerability in the packet forwarding e
|
| 35 |
CVE-2026-33088
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability
|
| 35 |
CVE-2026-41300
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves
|
| 35 |
CVE-2026-21630
Improperly built order clauses lead to a SQL injection vulnerability in the arti
|
| 35 |
CVE-2026-3969
A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown f
|
| 35 |
CVE-2026-33774
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 35 |
CVE-2026-5575
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0
|
| 35 |
CVE-2026-4956
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.
|
| 35 |
CVE-2026-32662
Development and test API endpoints are present that mirror production functional
|
| 35 |
CVE-2026-4287
A security flaw has been discovered in Tiandy Easy7 Integrated Management Platfo
|
| 35 |
CVE-2026-41335
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in th
|
| 35 |
CVE-2025-68933
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 35 |
CVE-2026-35647
OpenClaw before 2026.3.25 contains an access control vulnerability where verific
|
| 35 |
CVE-2026-35654
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Micr
|
| 35 |
CVE-2026-33332
## Summary
NiceGUI's `app.add_media_file()` and `app.add_media_files()` media r
|
| 35 |
CVE-2026-21004
Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjace
|
| 35 |
CVE-2026-40944
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCe
|
| 35 |
CVE-2026-41206
PySpector is a static analysis security testing (SAST) Framework engineered for
|
| 35 |
CVE-2026-40476
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the
|
| 35 |
CVE-2026-2399
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traver
|
| 35 |
CVE-2026-1716
An input validation vulnerability was reported in the DeviceSettingsSystemAddin
|
| 35 |
CVE-2026-1715
An input validation vulnerability was reported in the DeviceSettingsSystemAddin
|
| 35 |
CVE-2025-69238
Raytha CMS is vulnerable to Cross-Site Request Forgery across multiple endpoints
|
| 35 |
CVE-2025-15515
The authentication mechanism for a specific feature in the EasyShare module cont
|
| 35 |
CVE-2026-32265
Unauthenticated users can view a list of buckets the plugin has access to.
The
|
| 35 |
CVE-2025-13651
Exposure of Sensitive System Information to an Unauthorized Actor vulnerability
|
| 35 |
CVE-2026-41301
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification by
|
| 35 |
CVE-2026-32041
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication boots
|
| 35 |
CVE-2026-0827
During an internal security assessment, a potential vulnerability was discovered
|
| 35 |
CVE-2026-21013
Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allow
|
| 35 |
CVE-2026-34941
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 35 |
CVE-2026-31967
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
|
| 35 |
CVE-2026-31966
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
|
| 35 |
CVE-2026-31973
SAMtools is a program for reading, manipulating and writing bioinformatics file
|
| 35 |
CVE-2026-0209
Under certain administrative conditions, FlashArray Purity may apply snapshot re
|
| 35 |
CVE-2025-68482
A improper certificate validation vulnerability in Fortinet FortiAnalyzer 7.6.0
|
| 35 |
CVE-2025-71280
XenForo before 2.3.7 allows information disclosure via local account page cachin
|
| 35 |
CVE-2026-35667
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where th
|
| 35 |
CVE-2026-31972
SAMtools is a program for reading, manipulating and writing bioinformatics file
|
| 35 |
CVE-2026-32919
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowin
|
| 35 |
CVE-2026-41527
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privile
|
| 35 |
CVE-2026-22177
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control en
|
| 35 |
CVE-2026-40446
Access of resource using incompatible type ('type confusion') vulnerability in S
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 744d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2311d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2124d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1738d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2241d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4989d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1210d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1011d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3766d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 913d |