Total CVEs
16503
last 90 days
Avg Priority
36.3
of max 220
KEV
39
actively exploited
POC
3207
public exploits
Unpatched
4320
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-31179
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31163
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31160
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31165
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31172
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31162
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31164
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-31176
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allo
|
| 33 |
CVE-2026-22017
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 33 |
CVE-2026-3138
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to
|
| 33 |
CVE-2026-33541
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Sa
|
| 33 |
CVE-2026-33459
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of serv
|
| 33 |
CVE-2026-32251
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parser
|
| 33 |
CVE-2026-24952
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-24958
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-24988
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-6385
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability b
|
| 33 |
CVE-2026-32081
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 33 |
CVE-2026-35034
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 c
|
| 33 |
CVE-2026-22320
A stack-based buffer overflow in the CLI's TFTP file‑transfer command handling a
|
| 33 |
CVE-2026-24944
Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Explo
|
| 33 |
CVE-2026-30662
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File
|
| 33 |
CVE-2026-40105
### Impact
A reflected cross-site scripting vulnerability (XSS) in the compare v
|
| 33 |
CVE-2026-33743
Incus is a system container and virtual machine manager. Prior to version 6.23.0
|
| 33 |
CVE-2026-32085
Exposure of sensitive information to an unauthorized actor in Windows Remote Pro
|
| 33 |
CVE-2026-31949
LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Den
|
| 33 |
CVE-2026-27460
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 33 |
CVE-2026-2235
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authentic
|
| 33 |
CVE-2026-32079
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 33 |
CVE-2026-27935
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 33 |
CVE-2026-22178
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unes
|
| 33 |
CVE-2026-23982
An Improper Authorization vulnerability exists in Apache Superset that allows a
|
| 33 |
CVE-2026-33438
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 33 |
CVE-2026-1781
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing
|
| 33 |
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0,
|
| 33 |
CVE-2025-41754
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.c
|
| 33 |
CVE-2026-32108
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permi
|
| 33 |
CVE-2025-27555
Airflow versions before 2.11.1 have a vulnerability that allows authenticated us
|
| 33 |
CVE-2026-1387
GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 bef
|
| 33 |
CVE-2026-33428
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 33 |
CVE-2026-1504
Inappropriate implementation in Background Fetch API in Google Chrome prior to 1
|
| 33 |
CVE-2025-53598
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-54146
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-54147
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-54148
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2026-1671
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorize
|
| 33 |
CVE-2025-65017
Decidim is a participatory democracy framework. In versions from 0.30.0 to befor
|
| 33 |
CVE-2025-57708
An allocation of resources without limits or throttling vulnerability has been r
|
| 33 |
CVE-2025-62854
An uncontrolled resource consumption vulnerability has been reported to affect F
|
| 33 |
CVE-2026-4004
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execu
|
| 33 |
CVE-2026-25729
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and
|
| 33 |
CVE-2026-20636
The issue was addressed with improved memory handling. This issue is fixed in iO
|
| 33 |
CVE-2025-69218
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-34531
## Summary
In a situation where the client makes a request to a token protected
|
| 33 |
CVE-2026-27397
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple
|
| 33 |
CVE-2026-2845
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 be
|
| 33 |
CVE-2026-22922
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that c
|
| 33 |
CVE-2026-23984
An Improper Input Validation vulnerability exists in Apache Superset that allows
|
| 33 |
CVE-2026-2303
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authe
|
| 33 |
CVE-2026-28480
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerabili
|
| 33 |
CVE-2025-12773
A vulnerability in update-reports-purge-settings.sh script logging for Brocade S
|
| 33 |
CVE-2026-5025
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticat
|
| 33 |
CVE-2026-2369
A flaw was found in libsoup. An integer underflow vulnerability occurs when proc
|
| 33 |
CVE-2026-21865
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2024-43766
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communi
|
| 33 |
CVE-2026-39378
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various oth
|
| 33 |
CVE-2026-29195
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update
|
| 33 |
CVE-2026-26004
Sentry is a developer-first error tracking and performance monitoring tool. Vers
|
| 33 |
CVE-2026-2350
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 33 |
CVE-2026-34500
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 33 |
CVE-2025-13867
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through
|
| 33 |
CVE-2026-23487
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there
|
| 33 |
CVE-2026-1651
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to S
|
| 33 |
CVE-2026-2452
Emails sent by pretix can utilize placeholders that will be filled with customer
|
| 33 |
CVE-2026-24742
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-24098
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticat
|
| 33 |
CVE-2026-1292
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 33 |
CVE-2025-15574
When connecting to the Solax Cloud MQTT server the username is the "registration
|
| 33 |
CVE-2026-29081
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and
|
| 33 |
CVE-2026-24957
Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testi
|
| 33 |
CVE-2026-26361
Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of
|
| 33 |
CVE-2026-3131
Improper
access control in multiple DVLS REST API endpoints in Devolutions
Ser
|
| 33 |
CVE-2026-25963
Fleet is open source device management software. In versions prior to 4.80.1, a
|
| 33 |
CVE-2026-6364
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a re
|
| 33 |
CVE-2026-23545
Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hi
|
| 33 |
CVE-2026-3937
Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.76
|
| 33 |
CVE-2026-27362
Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addo
|
| 33 |
CVE-2026-27022
@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implemen
|
| 33 |
CVE-2026-5283
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 a
|
| 33 |
CVE-2026-25936
GLPI is a free Asset and IT management software package. Starting in version 11.
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 744d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2312d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2125d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1739d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2242d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4989d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1210d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1012d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3766d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 914d |