Total CVEs
16486
last 90 days
Avg Priority
36.9
of max 220
KEV
36
actively exploited
POC
3246
public exploits
Unpatched
4324
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-2348
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-40212
OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scri
|
| 27 |
CVE-2026-34623
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-2505
The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 27 |
CVE-2026-35046
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 27 |
CVE-2026-34848
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.
|
| 27 |
CVE-2026-32273
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33683
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-34625
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-32893
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cr
|
| 27 |
CVE-2026-32095
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1,
|
| 27 |
CVE-2026-32612
Statamic is a Laravel and Git powered content management system (CMS). Prior to
|
| 27 |
CVE-2026-29598
Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_use
|
| 27 |
CVE-2026-2735
Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when
|
| 27 |
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-32118
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-33911
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-31876
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3
|
| 27 |
CVE-2026-39367
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 27 |
CVE-2026-31153
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows atta
|
| 27 |
CVE-2026-33500
## Summary
The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom
|
| 27 |
CVE-2026-3369
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vul
|
| 27 |
CVE-2026-2595
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to S
|
| 27 |
CVE-2026-40927
Docmost is open-source collaborative wiki and documentation software. Prior to 0
|
| 27 |
CVE-2026-33889
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-32757
## Summary
The eCard send handler in Admidio uses the raw `$_POST['ecard_messag
|
| 27 |
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
|
| 27 |
CVE-2026-33742
Invoice Ninja is a source-available invoice, quote, project and time-tracking ap
|
| 27 |
CVE-2025-59904
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered
|
| 27 |
CVE-2025-61886
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 27 |
CVE-2025-59903
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG
|
| 27 |
CVE-2026-34974
### Summary
The regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can b
|
| 27 |
CVE-2026-32124
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-24350
PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authe
|
| 27 |
CVE-2026-39380
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2026-3215
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-24351
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. At
|
| 27 |
CVE-2026-27288
Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cr
|
| 27 |
CVE-2026-40112
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoin
|
| 27 |
CVE-2026-41061
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `i
|
| 27 |
CVE-2026-32840
Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site
|
| 27 |
CVE-2026-32125
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-3212
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-33978
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to v
|
| 27 |
CVE-2026-27121
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 ar
|
| 27 |
CVE-2026-42042
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 27 |
CVE-2026-27122
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:e
|
| 27 |
CVE-2026-1561
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 27 |
CVE-2026-40479
### Summary
The client-side `escapeForHtml()` function in `KimaiEscape.js`, intr
|
| 27 |
CVE-2026-0727
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authori
|
| 27 |
CVE-2026-27119
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain cir
|
| 27 |
CVE-2026-35232
Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service
|
| 27 |
CVE-2025-70060
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page
|
| 27 |
CVE-2026-22019
Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Orac
|
| 27 |
CVE-2026-34307
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleS
|
| 27 |
CVE-2026-21724
A vulnerability has been discovered in Grafana OSS where an authorization bypass
|
| 27 |
CVE-2026-29105
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 27 |
CVE-2026-3007
Successful exploitation of the stored cross-site scripting (XSS) vulnerability c
|
| 27 |
CVE-2026-20166
In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform
|
| 27 |
CVE-2026-22006
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle
|
| 27 |
CVE-2025-36243
IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SS
|
| 27 |
CVE-2026-1276
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-sit
|
| 27 |
CVE-2025-14504
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2026-20114
A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE
|
| 27 |
CVE-2026-2483
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cro
|
| 27 |
CVE-2023-40693
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2026-0835
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2025-15051
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-sit
|
| 27 |
CVE-2025-36226
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting
|
| 27 |
CVE-2026-4274
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.
|
| 27 |
CVE-2026-1217
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modi
|
| 27 |
CVE-2026-33410
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 27 |
CVE-2026-33251
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-34362
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-34590
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST
|
| 27 |
CVE-2026-34584
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From
|
| 27 |
CVE-2026-34051
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-1243
IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scrip
|
| 27 |
CVE-2026-39350
Istio is an open platform to connect, manage, and secure microservices. In versi
|
| 27 |
CVE-2025-13213
IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injecti
|
| 27 |
CVE-2026-32510
Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen
|
| 27 |
CVE-2026-32506
Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon
|
| 27 |
CVE-2026-28218
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 27 |
CVE-2026-32509
Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey all
|
| 27 |
CVE-2026-27578
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.
|
| 27 |
CVE-2026-32712
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2025-36227
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injectio
|
| 27 |
CVE-2025-66485
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, c
|
| 27 |
CVE-2026-32508
Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halste
|
| 27 |
CVE-2025-14857
An improper access control vulnerability exists in Semtech LoRa LR11xxx transcei
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2313d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2126d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1740d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2243d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1013d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 915d |