Total CVEs
16503
last 90 days
Avg Priority
36.8
of max 220
KEV
36
actively exploited
POC
3240
public exploits
Unpatched
4330
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-4324
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability
|
| 27 |
CVE-2026-4914
Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated
|
| 27 |
CVE-2026-2266
An improper neutralization of input vulnerability was identified in GitHub Enter
|
| 27 |
CVE-2026-2863
A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 428
|
| 27 |
CVE-2025-36094
IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.
|
| 27 |
CVE-2026-3358
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-33119
User interface (ui) misrepresentation of critical information in Microsoft Edge
|
| 27 |
CVE-2026-4124
The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all ve
|
| 27 |
CVE-2022-50942
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that
|
| 27 |
CVE-2025-69287
The BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps
|
| 27 |
CVE-2026-6848
A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verific
|
| 27 |
CVE-2026-3103
A logic error in the remove_password() function in Checkmk GmbH's Checkmk versio
|
| 27 |
CVE-2026-1987
The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Objec
|
| 27 |
CVE-2026-2694
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modif
|
| 27 |
CVE-2026-2864
A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm
|
| 27 |
CVE-2026-33299
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-26952
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 27 |
CVE-2026-33400
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 27 |
CVE-2026-32001
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerabil
|
| 27 |
CVE-2026-25073
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain
|
| 27 |
CVE-2026-25021
Missing Authorization vulnerability in Mizan Themes Mizan Demo Importer mizan-de
|
| 27 |
CVE-2026-24990
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Expl
|
| 27 |
CVE-2026-25739
Indico is an event management system that uses Flask-Multipass, a multi-backend
|
| 27 |
CVE-2026-31879
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, a
|
| 27 |
CVE-2026-32753
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 27 |
CVE-2026-33051
The revision/draft context menu in the element editor renders the creator’s `ful
|
| 27 |
CVE-2026-2732
The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modi
|
| 27 |
CVE-2026-32507
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux a
|
| 27 |
CVE-2026-32511
Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allow
|
| 27 |
CVE-2026-22569
An incorrect startup configuration of affected versions of Zscaler Client Connec
|
| 27 |
CVE-2026-23804
Missing Authorization vulnerability in BBR Plugins Better Business Reviews bette
|
| 27 |
CVE-2026-27387
Missing Authorization vulnerability in designinvento DirectoryPress directorypre
|
| 27 |
CVE-2026-25391
Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation al
|
| 27 |
CVE-2026-40155
The Auth0 Next.js SDK is a library for implementing user authentication in Next.
|
| 27 |
CVE-2025-10912
Authorization Bypass Through User-Controlled Key vulnerability in Saastech Clean
|
| 27 |
CVE-2026-2099
AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability,
|
| 27 |
CVE-2026-25388
Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allow
|
| 27 |
CVE-2026-25473
Missing Authorization vulnerability in AA-Team WZone woozone allows Exploiting I
|
| 27 |
CVE-2026-25311
Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-
|
| 27 |
CVE-2026-34442
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 27 |
CVE-2026-0999
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail
|
| 27 |
CVE-2026-26269
Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buff
|
| 27 |
CVE-2026-1509
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordP
|
| 27 |
CVE-2026-7026
A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects s
|
| 27 |
CVE-2026-40923
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style
|
| 27 |
CVE-2026-33312
Vikunja is an open-source self-hosted task management platform. Starting in vers
|
| 27 |
CVE-2026-21788
HCL Connections is vulnerable to a cross-site scripting attack where an attacker
|
| 27 |
CVE-2026-2712
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of fun
|
| 27 |
CVE-2026-2997
Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulne
|
| 27 |
CVE-2026-24961
Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandb
|
| 27 |
CVE-2026-1927
The Greenshift - animation and page builder blocks plugin for WordPress is vulne
|
| 27 |
CVE-2026-2284
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to M
|
| 27 |
CVE-2026-33291
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-34475
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain u
|
| 27 |
CVE-2026-35565
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache St
|
| 27 |
CVE-2026-27639
Mercator is an open source web application designed to enable mapping of informa
|
| 27 |
CVE-2026-33628
## Vulnerability Details
Invoice line item descriptions in Invoice Ninja v5.13.
|
| 27 |
CVE-2026-4438
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that sp
|
| 27 |
CVE-2026-34903
Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Inc
|
| 27 |
CVE-2026-20108
A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN M
|
| 27 |
CVE-2026-33406
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 27 |
CVE-2026-35602
## Summary
The Vikunja file import endpoint uses the attacker-controlled `Size`
|
| 27 |
CVE-2021-47911
Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabiliti
|
| 27 |
CVE-2026-34071
Stirling-PDF is a locally hosted web application that allows you to perform vari
|
| 27 |
CVE-2025-14274
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Store
|
| 27 |
CVE-2026-4335
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cros
|
| 27 |
CVE-2026-31832
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken obj
|
| 27 |
CVE-2026-32104
StudioCMS is a server-side-rendered, Astro native, headless content management s
|
| 27 |
CVE-2026-32562
Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page
|
| 27 |
CVE-2026-2879
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Refere
|
| 27 |
CVE-2026-32587
Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting I
|
| 27 |
CVE-2026-0972
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT p
|
| 27 |
CVE-2026-29840
JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerab
|
| 27 |
CVE-2026-34213
Docmost is open-source collaborative wiki and documentation software. Starting i
|
| 27 |
CVE-2026-23808
A vulnerability has been identified in a standardized wireless roaming protocol
|
| 27 |
CVE-2025-68643
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in th
|
| 27 |
CVE-2026-5895
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55
|
| 27 |
CVE-2026-6774
Mitigation bypass in the DOM: Security component. This vulnerability was fixed i
|
| 27 |
CVE-2025-13983
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2025-59896
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 27 |
CVE-2025-69289
Discourse is an open source discussion platform. A privilege escalation vulnerab
|
| 27 |
CVE-2025-59898
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 27 |
CVE-2025-59900
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 27 |
CVE-2026-34753
### Summary
A Server Side Request Forgery (SSRF) vulnerability in `download_byt
|
| 27 |
CVE-2025-59897
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 27 |
CVE-2026-2127
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized
|
| 27 |
CVE-2025-65923
A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV
|
| 27 |
CVE-2026-1469
Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability
|
| 27 |
CVE-2025-59899
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 27 |
CVE-2026-41233
Froxlor is open source server administration software. Prior to version 2.3.6, i
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2313d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2126d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1740d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2243d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1013d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 915d |