Total CVEs
16505
last 90 days
Avg Priority
36.3
of max 220
KEV
39
actively exploited
POC
3225
public exploits
Unpatched
4325
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 32 |
CVE-2026-4085
The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-2384
The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-1893
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored
|
| 32 |
CVE-2025-11185
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to S
|
| 32 |
CVE-2026-4089
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2026-4082
The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2026-4125
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-4279
The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-3875
The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod
|
| 32 |
CVE-2026-0868
The EMC - Easily Embed Calendly Scheduling Features plugin for WordPress is vuln
|
| 32 |
CVE-2026-2509
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-S
|
| 32 |
CVE-2026-3299
The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-3885
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-3878
The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
|
| 32 |
CVE-2026-5820
The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 32 |
CVE-2026-5070
The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via
|
| 32 |
CVE-2025-13364
The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory &
|
| 32 |
CVE-2026-6246
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored C
|
| 32 |
CVE-2026-2434
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 32 |
CVE-2026-5748
The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 32 |
CVE-2026-6236
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 32 |
CVE-2026-4353
The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 32 |
CVE-2025-15064
The Ultimate Member - User Profile, Registration, Login, Member Directory, Conte
|
| 32 |
CVE-2026-0664
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cros
|
| 32 |
CVE-2026-2600
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0738
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0737
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerabl
|
| 32 |
CVE-2026-0552
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2025-13368
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable
|
| 32 |
CVE-2026-2988
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 32 |
CVE-2026-4379
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site
|
| 32 |
CVE-2025-14732
The Elementor Website Builder - More Than Just a Page Builder plugin for WordPre
|
| 32 |
CVE-2026-5767
The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 32 |
CVE-2026-40226
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can oc
|
| 32 |
CVE-2025-57849
A container privilege escalation flaw was found in certain Fuse images. This iss
|
| 32 |
CVE-2025-8766
A container privilege escalation flaw was found in certain Multi-Cloud Object Ga
|
| 32 |
CVE-2026-20438
In MAE, there is a possible out of bounds write due to a race condition. This co
|
| 32 |
CVE-2026-32911
OpenClaw versions 2026.2.22 prior to 2026.2.24 contain an authorization bypass v
|
| 32 |
CVE-2025-57851
A container privilege escalation flaw was found in certain Multicluster Engine f
|
| 32 |
CVE-2026-33320
### Summary
`dasel`'s YAML reader allows an attacker who can supply YAML for pr
|
| 32 |
CVE-2025-57853
A container privilege escalation flaw was found in certain Web Terminal images.
|
| 32 |
CVE-2026-23758
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability
|
| 32 |
CVE-2025-57175
Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a
|
| 32 |
CVE-2026-41591
### Summary
When dynamic text is interpolated into a `<script>` or `<style>` ta
|
| 32 |
CVE-2026-32900
OpenClaw before 2026.2.22 contains an authorization bypass vulnerability in allo
|
| 32 |
CVE-2025-57854
A container privilege escalation flaw was found in certain OpenShift Update Serv
|
| 32 |
CVE-2025-57847
A container privilege escalation flaw was found in certain Ansible Automation Pl
|
| 32 |
CVE-2025-58713
A container privilege escalation flaw was found in certain Red Hat Process Autom
|
| 32 |
CVE-2026-4195
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L,
|
| 32 |
CVE-2026-39862
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affec
|
| 32 |
CVE-2026-4196
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, D
|
| 32 |
CVE-2026-4197
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-32
|
| 32 |
CVE-2026-32854
LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null po
|
| 32 |
CVE-2026-2130
A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This af
|
| 32 |
CVE-2026-1638
A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. T
|
| 32 |
CVE-2026-39420
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 32 |
CVE-2026-32624
xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based
|
| 32 |
CVE-2026-2563
A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533
|
| 32 |
CVE-2026-2562
A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533
|
| 32 |
CVE-2026-2561
A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Thi
|
| 32 |
CVE-2026-40021
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configurat
|
| 32 |
CVE-2026-34481
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/j
|
| 32 |
CVE-2026-40023
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cx
|
| 32 |
CVE-2026-2697
An Indirect Object Reference (IDOR) in Security Center allows an authenticated r
|
| 32 |
CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68
|
| 32 |
CVE-2026-1200
A flaw was found in the rgaufman/live555 fork of live555. A remote attacker coul
|
| 32 |
CVE-2026-35656
OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the
|
| 32 |
CVE-2026-5724
The frontend gRPC server's streaming interceptor chain did not include the autho
|
| 32 |
CVE-2026-41346
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per ch
|
| 32 |
CVE-2026-34525
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 32 |
CVE-2026-33145
xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticate
|
| 32 |
CVE-2026-24125
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows use
|
| 32 |
CVE-2026-33751
n8n is an open source workflow automation platform. Prior to versions 1.123.27,
|
| 32 |
CVE-2026-39421
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 32 |
CVE-2026-28476
OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulne
|
| 32 |
CVE-2026-25118
immich is a high performance self-hosted photo and video management solution. Pr
|
| 32 |
CVE-2026-31999
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current worki
|
| 32 |
CVE-2026-2536
A vulnerability was determined in opencc JFlow up to 20260129. This affects the
|
| 32 |
CVE-2026-39859
`liquidjs` 10.25.0 documents `root` as constraining filenames passed to `renderF
|
| 32 |
CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 32 |
CVE-2026-3209
A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects
|
| 32 |
CVE-2026-2206
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affe
|
| 32 |
CVE-2026-41340
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability wher
|
| 32 |
CVE-2026-4349
A vulnerability was determined in Duende IdentityServer 4. The affected element
|
| 32 |
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the
|
| 32 |
CVE-2026-5302
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthentica
|
| 32 |
CVE-2026-1895
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimi
|
| 32 |
CVE-2026-1977
A security vulnerability has been detected in isaacwasserman mcp-vegalite-server
|
| 32 |
CVE-2026-2532
A vulnerability was detected in lintsinghua DeepAudit up to 3.0.3. This issue af
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 744d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2312d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2125d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1739d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2242d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4990d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1210d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1012d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3767d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 914d |