Total CVEs
16346
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3574
public exploits
Unpatched
5453
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 49 |
CVE-2026-32714
SciTokens is a reference library for generating and using SciTokens. Prior to ve
|
| 49 |
CVE-2026-3062
Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632
|
| 49 |
CVE-2026-25141
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or S
|
| 49 |
CVE-2026-24465
Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access p
|
| 49 |
CVE-2026-30702
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken a
|
| 49 |
CVE-2026-4691
Use-after-free in the CSS Parsing and Computation component. This vulnerability
|
| 49 |
CVE-2026-25200
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML file
|
| 49 |
CVE-2026-0879
Sandbox escape due to incorrect boundary conditions in the Graphics component. T
|
| 49 |
CVE-2026-33195
### Impact
Active Storage's `DiskService#path_for` does not validate that the re
|
| 49 |
CVE-2026-33816
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
| 49 |
CVE-2026-0884
Use-after-free in the JavaScript Engine component. This vulnerability affects Fi
|
| 49 |
CVE-2026-24989
Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affilia
|
| 49 |
CVE-2026-27084
Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allo
|
| 49 |
CVE-2025-8572
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation i
|
| 49 |
CVE-2026-25029
Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allow
|
| 49 |
CVE-2026-22507
Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove
|
| 49 |
CVE-2026-27082
Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory
|
| 49 |
CVE-2026-22500
Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction
|
| 49 |
CVE-2026-32502
Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgho
|
| 49 |
CVE-2026-25030
Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish
|
| 49 |
CVE-2026-25031
Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tas
|
| 49 |
CVE-2026-25032
Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky all
|
| 49 |
CVE-2026-25429
Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-block
|
| 49 |
CVE-2026-32512
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula
|
| 49 |
CVE-2026-25035
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasili
|
| 49 |
CVE-2026-27083
Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Compan
|
| 49 |
CVE-2026-30079
In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state
|
| 49 |
CVE-2026-27049
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooThe
|
| 49 |
CVE-2026-27095
Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Boo
|
| 49 |
CVE-2026-24378
Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventpri
|
| 49 |
CVE-2026-22582
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection
|
| 49 |
CVE-2026-22583
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection
|
| 49 |
CVE-2025-30410
Sensitive data disclosure and manipulation due to missing authentication. The fo
|
| 49 |
CVE-2026-1774
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulne
|
| 49 |
CVE-2025-62799
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard
|
| 49 |
CVE-2026-0892
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bug
|
| 49 |
CVE-2026-25202
The database account and password are hardcoded, allowing login with the account
|
| 49 |
CVE-2026-31272
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/m
|
| 49 |
CVE-2025-62582
Delta Electronics DIAView has multiple vulnerabilities.
|
| 49 |
CVE-2025-62581
Delta Electronics DIAView has multiple vulnerabilities.
|
| 49 |
CVE-2025-15030
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper
|
| 49 |
CVE-2025-13952
A web page that contains unusual GPU shader code is loaded from the Internet int
|
| 49 |
CVE-2026-3130
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and
|
| 49 |
CVE-2026-1188
In the Eclipse OMR port library component since release 0.2.0, an API function t
|
| 49 |
CVE-2026-3296
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in
|
| 49 |
CVE-2026-4696
Use-after-free in the Layout: Text and Fonts component. This vulnerability affec
|
| 49 |
CVE-2026-2790
Same-origin policy bypass in the Networking: JAR component. This vulnerability a
|
| 49 |
CVE-2026-4698
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability a
|
| 49 |
CVE-2026-22586
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagem
|
| 49 |
CVE-2026-1229
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produc
|
| 49 |
CVE-2026-4717
Privilege escalation in the Netmonitor component. This vulnerability affects Fir
|
| 49 |
CVE-2026-31040
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient
|
| 49 |
CVE-2025-67135
Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allo
|
| 49 |
CVE-2026-29859
An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to ex
|
| 49 |
CVE-2026-24497
Stack-based Buffer Overflow vulnerability in SimTech Systems, Inc. ThinkWise all
|
| 49 |
CVE-2025-14892
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gai
|
| 49 |
CVE-2025-62818
An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Mod
|
| 49 |
CVE-2025-52909
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
|
| 49 |
CVE-2026-2287
CrewAI does not properly check that Docker is still running during runtime, and
|
| 49 |
CVE-2026-31151
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypa
|
| 49 |
CVE-2026-30457
An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows
|
| 49 |
CVE-2026-30283
An arbitrary file overwrite vulnerability in PEAKSEL D.O.O. NIS Animal Sounds an
|
| 49 |
CVE-2026-23240
In the Linux kernel, the following vulnerability has been resolved:
tls: Fix ra
|
| 49 |
CVE-2026-33815
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
| 49 |
CVE-2026-30281
An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attacke
|
| 49 |
CVE-2026-30286
An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2
|
| 49 |
CVE-2025-15604
Amon2 versions before 6.17 for Perl use an insecure random_string implementation
|
| 49 |
CVE-2025-52221
Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm f
|
| 49 |
CVE-2026-4711
Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefo
|
| 49 |
CVE-2026-2286
CrewAI contains a server-side request forgery vulnerability that enables content
|
| 49 |
CVE-2025-67038
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module exec
|
| 49 |
CVE-2026-24968
Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo al
|
| 49 |
CVE-2025-67035
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH S
|
| 49 |
CVE-2026-30285
An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.6
|
| 49 |
CVE-2026-4701
Use-after-free in the JavaScript Engine component. This vulnerability affects Fi
|
| 49 |
CVE-2026-30276
An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 a
|
| 49 |
CVE-2026-32267
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before
|
| 49 |
CVE-2026-30278
An arbitrary file overwrite vulnerability in FLY is FUN Aviation Navigation v35.
|
| 49 |
CVE-2026-32520
Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP Rewar
|
| 49 |
CVE-2026-4702
JIT miscompilation in the JavaScript Engine component. This vulnerability affect
|
| 49 |
CVE-2026-4700
Mitigation bypass in the Networking: HTTP component. This vulnerability affects
|
| 49 |
CVE-2026-27051
Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege
|
| 49 |
CVE-2025-70041
An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in osl
|
| 49 |
CVE-2025-70024
An issue pertaining to CWE-89: Improper Neutralization of Special Elements used
|
| 49 |
CVE-2026-24971
Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go search
|
| 49 |
CVE-2025-5319
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 49 |
CVE-2026-35490
### Summary
On 13 routes across 5 blueprint files, the `@login_optionally_requi
|
| 49 |
CVE-2026-30930
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1,
|
| 49 |
CVE-2025-67229
An improper certificate validation vulnerability exists in ToDesktop Builder v0.
|
| 49 |
CVE-2026-4705
Undefined behavior in the WebRTC: Signaling component. This vulnerability affect
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |