Total CVEs
16481
last 90 days
Avg Priority
36.3
of max 220
KEV
39
actively exploited
POC
3205
public exploits
Unpatched
4317
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-35173
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR /
|
| 33 |
CVE-2026-20404
In Modem, there is a possible system crash due to improper input validation. Thi
|
| 33 |
CVE-2026-20083
A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE
|
| 33 |
CVE-2026-30955
### Summary
An API endpoint accepts unbounded request bodies without any size l
|
| 33 |
CVE-2026-1697
The Secure and SameSite attribute are missing in the GraphicalData web services
|
| 33 |
CVE-2026-34740
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EP
|
| 33 |
CVE-2026-41043
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 33 |
CVE-2026-2656
A flaw has been found in ChaiScript up to 6.1.0. This affects the function chais
|
| 33 |
CVE-2026-2655
A vulnerability was detected in ChaiScript up to 6.1.0. The impacted element is
|
| 33 |
CVE-2026-20042
A vulnerability in the configuration backup feature of Cisco Nexus Dashboard cou
|
| 33 |
CVE-2026-41127
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have
|
| 33 |
CVE-2026-3527
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashbo
|
| 33 |
CVE-2025-7375
A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An a
|
| 33 |
CVE-2026-3121
A flaw was found in Keycloak. An administrator with `manage-clients` permission
|
| 33 |
CVE-2025-69988
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An un
|
| 33 |
CVE-2025-70044
An issue pertaining to CWE-295: Improper Certificate Validation was discovered i
|
| 33 |
CVE-2026-5919
Insufficient validation of untrusted input in WebSockets in Google Chrome prior
|
| 33 |
CVE-2025-36368
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 33 |
CVE-2025-36424
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2025-65127
A lack of session validation in the web API component of Shenzhen Zhibotong Elec
|
| 33 |
CVE-2026-1839
A vulnerability in the HuggingFace Transformers library, specifically in the `Tr
|
| 33 |
CVE-2026-23567
An integer underflow in the UDP command handler of the TeamViewer DEX Client (fo
|
| 33 |
CVE-2026-24687
Umbraco Forms is a form builder that integrates with the Umbraco content managem
|
| 33 |
CVE-2025-36427
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2026-32842
Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credenti
|
| 33 |
CVE-2026-2913
A vulnerability was determined in libvips up to 8.19.0. The affected element is
|
| 33 |
CVE-2025-8303
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 33 |
CVE-2026-1014
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exp
|
| 33 |
CVE-2025-36009
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an
|
| 33 |
CVE-2018-25160
HTTP::Session2 versions through 1.09 for Perl does not validate the format of us
|
| 33 |
CVE-2025-36366
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2026-20657
The issue was addressed with improved memory handling. This issue is fixed in iO
|
| 33 |
CVE-2025-36442
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2026-28880
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 33 |
CVE-2025-62853
A path traversal vulnerability has been reported to affect File Station 5. If a
|
| 33 |
CVE-2026-24053
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash co
|
| 33 |
CVE-2026-25344
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 33 |
CVE-2026-30579
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user
|
| 33 |
CVE-2026-23484
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and pri
|
| 33 |
CVE-2026-25339
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi C
|
| 33 |
CVE-2026-30452
Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the arti
|
| 33 |
CVE-2026-30578
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious use
|
| 33 |
CVE-2026-28857
The issue was addressed with improved memory handling. This issue is fixed in Sa
|
| 33 |
CVE-2025-36070
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36001
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2026-28844
A file access issue was addressed with improved input validation. This issue is
|
| 33 |
CVE-2025-2668
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2026-1101
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 33 |
CVE-2026-30480
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) o
|
| 33 |
CVE-2025-36098
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36387
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2026-32588
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticate
|
| 33 |
CVE-2026-27754
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographic
|
| 33 |
CVE-2025-61154
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13
|
| 33 |
CVE-2025-36423
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.
|
| 33 |
CVE-2026-33283
## Summary
Ella Core panics when processing malformed UL NAS Transport NAS messa
|
| 33 |
CVE-2025-36407
IBM® Db2® is vulnerable to a denial of service with a specially crafted query th
|
| 33 |
CVE-2026-25455
Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerc
|
| 33 |
CVE-2026-25454
Missing Authorization vulnerability in MVPThemes The League the-league allows Ex
|
| 33 |
CVE-2026-25437
Missing Authorization vulnerability in سید محمدامین هاشمی GZSEO gzseo allows Exp
|
| 33 |
CVE-2026-25430
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and C
|
| 33 |
CVE-2026-25398
Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor
|
| 33 |
CVE-2026-25390
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-appr
|
| 33 |
CVE-2026-25365
Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-tur
|
| 33 |
CVE-2026-26929
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does
|
| 33 |
CVE-2026-29647
In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lowe
|
| 33 |
CVE-2026-24514
A security issue was discovered in ingress-nginx where the validating admission
|
| 33 |
CVE-2026-25327
Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservati
|
| 33 |
CVE-2026-25034
Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-ma
|
| 33 |
CVE-2026-25009
Missing Authorization vulnerability in raratheme Education Zone education-zone a
|
| 33 |
CVE-2025-12899
A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128
|
| 33 |
CVE-2026-27609
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In ver
|
| 33 |
CVE-2026-24987
Missing Authorization vulnerability in activity-log.com WP System Log winterlock
|
| 33 |
CVE-2026-22485
Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gall
|
| 33 |
CVE-2026-32541
Missing Authorization vulnerability in Premmerce Premmerce Redirect Manager prem
|
| 33 |
CVE-2026-1626
An attacker may exploit the use of weak CBC-based cipher suites in the device’s
|
| 33 |
CVE-2026-1627
An attacker may exploit the use of outdated and weak MAC algorithms in the devic
|
| 33 |
CVE-2026-23972
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager
|
| 33 |
CVE-2026-24364
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 33 |
CVE-2026-24376
Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerab
|
| 33 |
CVE-2026-3889
Spoofing issue in Thunderbird. This vulnerability affects Thunderbird < 149 and
|
| 33 |
CVE-2025-68971
In Forgejo through 13.0.3, the attachment component allows a denial of service b
|
| 33 |
CVE-2026-32535
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Hel
|
| 33 |
CVE-2026-32533
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint Late
|
| 33 |
CVE-2026-32527
Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7
|
| 33 |
CVE-2026-24972
Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing
|
| 33 |
CVE-2026-30655
SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and ea
|
| 33 |
CVE-2026-32514
Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allo
|
| 33 |
CVE-2026-40199
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addres
|
| 33 |
CVE-2026-28835
A use-after-free issue was addressed with improved memory management. This issue
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 744d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2312d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2125d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1739d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2242d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4989d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1210d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1012d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3767d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 914d |