Total CVEs
16353
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3574
public exploits
Unpatched
5453
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 59 |
CVE-2021-47790
Active WebCam 11.5 contains an unquoted service path vulnerability that allows l
|
| 59 |
CVE-2021-47787
TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple syst
|
| 59 |
CVE-2021-47780
Macro Expert 4.7 contains an unquoted service path vulnerability that allows loc
|
| 59 |
CVE-2020-36930
SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its bi
|
| 59 |
CVE-2020-36929
Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in
|
| 59 |
CVE-2020-36927
DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in
|
| 59 |
CVE-2019-25307
WorkgroupMail 7.5.1 contains an unquoted service path vulnerability in its Windo
|
| 59 |
CVE-2026-27905
BentoML is a Python library for building online serving systems optimized for AI
|
| 59 |
CVE-2020-36952
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that al
|
| 59 |
CVE-2021-47767
10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path
|
| 59 |
CVE-2019-25308
Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikog
|
| 59 |
CVE-2020-36928
Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_
|
| 59 |
CVE-2019-25267
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allow
|
| 59 |
CVE-2026-29127
The IDC SFX2100 Satellite Receiver sets overly permissive file system permission
|
| 59 |
CVE-2026-25582
iccDEV provides a set of libraries and tools that allow for the interaction, man
|
| 59 |
CVE-2019-25306
BlackMoon FTP Server 3.1.2.1731 contains an unquoted service path vulnerability
|
| 59 |
CVE-2019-25309
Zilab Remote Console Server 3.2.9 contains an unquoted service path vulnerabilit
|
| 59 |
CVE-2019-25276
Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerabil
|
| 59 |
CVE-2021-47850
Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote atta
|
| 59 |
CVE-2022-40620
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Sy
|
| 59 |
CVE-2026-30822
Flowise is a drag & drop user interface to build a customized large language mod
|
| 59 |
CVE-2026-23881
Kyverno is a policy engine designed for cloud native platform engineering teams.
|
| 59 |
CVE-2026-32064
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc
|
| 59 |
CVE-2026-22219
Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vu
|
| 59 |
CVE-2026-25991
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 59 |
CVE-2026-27479
Wallos is an open-source, self-hostable personal subscription tracker. Versions
|
| 59 |
CVE-2026-23477
Rocket.Chat is an open-source, secure, fully customizable communications platfor
|
| 59 |
CVE-2026-2995
GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 bef
|
| 58 |
CVE-2025-63657
An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c)
|
| 58 |
CVE-2025-63656
An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of
|
| 58 |
CVE-2025-63653
An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c)
|
| 58 |
CVE-2025-63652
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of mo
|
| 58 |
CVE-2025-63650
An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of
|
| 58 |
CVE-2025-63655
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_htt
|
| 58 |
CVE-2025-63651
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of
|
| 58 |
CVE-2018-25181
Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticate
|
| 58 |
CVE-2025-25652
In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components
|
| 58 |
CVE-2026-26829
A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-s
|
| 58 |
CVE-2020-36939
Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows una
|
| 58 |
CVE-2026-25116
Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and pri
|
| 58 |
CVE-2026-26724
Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Manageme
|
| 58 |
CVE-2025-70963
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative d
|
| 58 |
CVE-2026-32055
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in w
|
| 58 |
CVE-2019-25333
Bullwark Momentum Series JAWS 1.0 contains a directory traversal vulnerability t
|
| 58 |
CVE-2026-26340
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and pr
|
| 58 |
CVE-2026-28356
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1
|
| 58 |
CVE-2026-27013
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.j
|
| 58 |
CVE-2026-25802
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 58 |
CVE-2026-28403
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `Director
|
| 58 |
CVE-2026-26010
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by th
|
| 58 |
CVE-2021-47802
Tenda D151 and D301 routers contain an unauthenticated configuration download vu
|
| 58 |
CVE-2026-24892
openITCOCKPIT is an open source monitoring tool built for different monitoring e
|
| 58 |
CVE-2020-37015
Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnera
|
| 58 |
CVE-2026-2152
A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unk
|
| 58 |
CVE-2022-50932
Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerab
|
| 58 |
CVE-2022-50890
Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its buil
|
| 58 |
CVE-2019-25352
Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that
|
| 58 |
CVE-2026-3696
A vulnerability was found in Totolink N300RH 6..1c.1353_B20190305. The affected
|
| 58 |
CVE-2020-37041
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css e
|
| 58 |
CVE-2019-25438
LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow un
|
| 58 |
CVE-2025-69252
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source p
|
| 58 |
CVE-2020-37150
Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /w
|
| 58 |
CVE-2021-47751
CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a director
|
| 58 |
CVE-2025-63658
A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of m
|
| 58 |
CVE-2025-69248
free5GC is an open-source project for 5th generation (5G) mobile core networks.
|
| 58 |
CVE-2020-37214
Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers
|
| 58 |
CVE-2026-28342
OliveTin gives access to predefined shell commands from a web interface. Prior t
|
| 58 |
CVE-2020-36963
Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypas
|
| 58 |
CVE-2025-66960
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of servi
|
| 58 |
CVE-2025-66959
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of servi
|
| 58 |
CVE-2025-69765
Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv functio
|
| 58 |
CVE-2021-47752
AWebServer GhostBuilding 18 contains a denial of service vulnerability that allo
|
| 58 |
CVE-2026-26235
JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that
|
| 58 |
CVE-2025-57156
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/h
|
| 58 |
CVE-2021-47746
NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that al
|
| 58 |
CVE-2019-25465
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that all
|
| 58 |
CVE-2019-25432
Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthen
|
| 58 |
CVE-2025-70123
An improper input validation and protocol compliance vulnerability in free5GC v4
|
| 58 |
CVE-2017-20222
Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthent
|
| 58 |
CVE-2017-20220
Serviio PRO 1.8 contains an improper access control vulnerability in the Configu
|
| 58 |
CVE-2025-70147
Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWo
|
| 58 |
CVE-2026-23491
InvoicePlane is a self-hosted open source application for managing invoices, cli
|
| 58 |
CVE-2018-25178
Easyndexer 1.0 contains an arbitrary file download vulnerability that allows una
|
| 58 |
CVE-2025-69232
free5GC is an open-source project for 5th generation (5G) mobile core networks.
|
| 58 |
CVE-2025-69247
free5GC go-upf is the User Plane Function (UPF) implementation for 5G networks t
|
| 58 |
CVE-2026-26514
An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e.
|
| 58 |
CVE-2019-25515
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vuln
|
| 58 |
CVE-2019-25346
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to by
|
| 58 |
CVE-2019-25347
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers t
|
| 58 |
CVE-2026-26673
An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and belo
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |