Total CVEs
16498
last 90 days
Avg Priority
36.8
of max 220
KEV
36
actively exploited
POC
3240
public exploits
Unpatched
4326
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 28 |
CVE-2026-20654
The issue was addressed with improved memory handling. This issue is fixed in wa
|
| 28 |
CVE-2025-9497
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allo
|
| 28 |
CVE-2026-27026
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an atta
|
| 28 |
CVE-2026-40183
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-20602
The issue was addressed with improved handling of caches. This issue is fixed in
|
| 28 |
CVE-2026-40310
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2026-34447
Open Neural Network Exchange (ONNX) is an open standard for machine learning int
|
| 28 |
CVE-2026-33905
ImageMagick is free and open-source software used for editing and manipulating d
|
| 28 |
CVE-2025-52458
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code e
|
| 28 |
CVE-2026-2640
During an internal security assessment, a potential vulnerability was discovered
|
| 28 |
CVE-2025-46306
The issue was addressed with improved bounds checks. This issue is fixed in macO
|
| 28 |
CVE-2026-34933
Avahi is a system which facilitates service discovery on a local network via the
|
| 28 |
CVE-2026-31794
iccDEV provides a set of libraries and tools for working with ICC color manageme
|
| 28 |
CVE-2026-30980
iccDEV provides a set of libraries and tools for working with ICC color manageme
|
| 28 |
CVE-2026-28267
Multiple i-フィルター products are configured with improper file access permission se
|
| 28 |
CVE-2026-31793
iccDEV provides a set of libraries and tools for working with ICC color manageme
|
| 28 |
CVE-2025-41432
in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code e
|
| 28 |
CVE-2026-20621
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 28 |
CVE-2026-33165
libde265 is an open source implementation of the h.265 video codec. Prior to ver
|
| 28 |
CVE-2026-20634
The issue was addressed with improved memory handling. This issue is fixed in wa
|
| 28 |
CVE-2025-61143
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via th
|
| 28 |
CVE-2026-27024
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an atta
|
| 28 |
CVE-2026-27025
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an atta
|
| 28 |
CVE-2026-34730
### Summary
Copier's `_external_data` feature allows a template to load YAML fi
|
| 28 |
CVE-2026-20630
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 28 |
CVE-2026-20612
A privacy issue was addressed with improved checks. This issue is fixed in macOS
|
| 28 |
CVE-2025-43403
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-20619
A logging issue was addressed with improved data redaction. This issue is fixed
|
| 28 |
CVE-2026-32810
Halloy is an IRC application written in Rust. In versions on \*nix and macOS pri
|
| 28 |
CVE-2025-15313
Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS.
|
| 28 |
CVE-2026-20678
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2026-20624
An injection issue was addressed with improved validation. This issue is fixed i
|
| 28 |
CVE-2026-23157
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do n
|
| 28 |
CVE-2026-29111
systemd, a system and service manager, (as PID 1) hits an assert and freezes exe
|
| 28 |
CVE-2026-20655
An authorization issue was addressed with improved state management. This issue
|
| 28 |
CVE-2025-70347
An issue in mquickjs before commit 74b7e (2026-01-15) allows a local attacker to
|
| 28 |
CVE-2025-15318
Tanium addressed an arbitrary file deletion vulnerability in End-User Notificati
|
| 28 |
CVE-2024-54192
An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service
|
| 28 |
CVE-2026-6245
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_
|
| 28 |
CVE-2026-32288
tar.Reader can allocate an unbounded amount of memory when reading a maliciously
|
| 28 |
CVE-2026-39390
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 28 |
CVE-2026-39392
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 28 |
CVE-2026-20161
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an
|
| 28 |
CVE-2026-24413
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prio
|
| 28 |
CVE-2025-48651
N/A
|
| 28 |
CVE-2026-20986
Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows loca
|
| 28 |
CVE-2026-26104
A flaw was found in the udisks storage management daemon that allows unprivilege
|
| 28 |
CVE-2025-58347
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
|
| 28 |
CVE-2025-58348
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear
|
| 28 |
CVE-2026-20977
Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 all
|
| 28 |
CVE-2026-27004
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-
|
| 28 |
CVE-2025-58379
Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local auth
|
| 28 |
CVE-2026-1845
The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 28 |
CVE-2026-39984
### Authorization bypass via certificate bag manipulation in sigstore/timestamp-
|
| 28 |
CVE-2025-48644
In multiple locations, there is a possible persistent denial of service due to i
|
| 28 |
CVE-2026-31802
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm)
|
| 28 |
CVE-2025-48642
In jump_to_payload of payload.rs, there is a possible information disclosure due
|
| 28 |
CVE-2026-25145
melange allows users to build apk packages using declarative pipelines. From ver
|
| 28 |
CVE-2026-20415
In imgsys, there is a possible memory corruption due to improper locking. This c
|
| 28 |
CVE-2026-20625
A parsing issue in the handling of directory paths was addressed with improved p
|
| 28 |
CVE-2026-24846
malcontent discovers supply-chain compromises through. context, differential ana
|
| 28 |
CVE-2025-12699
The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. At
|
| 28 |
CVE-2026-24414
The Icinga PowerShell Framework provides configuration and check possibilities t
|
| 28 |
CVE-2026-24927
Out-of-bounds access vulnerability in the frequency modulation module.
Impact: S
|
| 28 |
CVE-2026-35339
The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly han
|
| 28 |
CVE-2026-6862
A flaw was found in libefiboot, a component of efivar. The device path node pars
|
| 28 |
CVE-2026-41646
A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templa
|
| 28 |
CVE-2026-35369
An argument parsing error in the kill utility of uutils coreutils incorrectly in
|
| 28 |
CVE-2025-70795
STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an ad
|
| 28 |
CVE-2026-35380
A logic error in the cut utility of uutils coreutils causes the program to incor
|
| 28 |
CVE-2025-55264
HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Cha
|
| 28 |
CVE-2026-35340
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the
|
| 28 |
CVE-2026-7183
A vulnerability has been found in aligungr UERANSIM up to 3.2.7. The affected el
|
| 27 |
CVE-2026-3680
A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.
|
| 27 |
CVE-2026-5355
A vulnerability has been found in Trendnet TEW-657BRM 1.00.1. Affected by this i
|
| 27 |
CVE-2026-32629
### Summary
An unauthenticated attacker can submit a guest FAQ with an email add
|
| 27 |
CVE-2026-5831
A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impa
|
| 27 |
CVE-2026-6141
A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up t
|
| 27 |
CVE-2026-5547
A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected i
|
| 27 |
CVE-2025-66168
Apache ActiveMQ does not properly validate the remaining length field which may
|
| 27 |
CVE-2026-4271
A flaw was found in libsoup, a library for handling HTTP requests. This vulnerab
|
| 27 |
CVE-2026-26003
FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can d
|
| 27 |
CVE-2026-32139
Dataease is an open source data visualization analysis tool. In DataEase 2.10.19
|
| 27 |
CVE-2026-4324
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability
|
| 27 |
CVE-2026-4914
Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated
|
| 27 |
CVE-2026-2266
An improper neutralization of input vulnerability was identified in GitHub Enter
|
| 27 |
CVE-2026-2863
A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 428
|
| 27 |
CVE-2025-36094
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.
|
| 27 |
CVE-2026-3358
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-33119
User interface (ui) misrepresentation of critical information in Microsoft Edge
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2313d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2126d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1740d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2243d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1211d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1013d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 915d |