Total CVEs
16486
last 90 days
Avg Priority
36.9
of max 220
KEV
36
actively exploited
POC
3239
public exploits
Unpatched
4322
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2025-64074
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong
|
| 27 |
CVE-2025-13864
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2026-0950
The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for W
|
| 27 |
CVE-2025-14294
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized
|
| 27 |
CVE-2026-3335
The Canto plugin for WordPress is vulnerable to Missing Authorization in all ver
|
| 27 |
CVE-2026-1926
The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthor
|
| 27 |
CVE-2026-28428
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an auth
|
| 27 |
CVE-2026-25185
Exposure of sensitive information to an unauthorized actor in Windows Shell Link
|
| 27 |
CVE-2026-25509
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 27 |
CVE-2026-2100
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability
|
| 27 |
CVE-2026-3739
A security flaw has been discovered in suitenumerique messages 0.2.0. This issue
|
| 27 |
CVE-2025-10731
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 27 |
CVE-2025-59028
When sending invalid base64 SASL data, login process is disconnected from the au
|
| 27 |
CVE-2026-24004
Fleet is open source device management software. In versions prior to 4.80.1, a
|
| 27 |
CVE-2026-39415
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2026-33888
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-29135
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft
|
| 27 |
CVE-2026-29137
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide s
|
| 27 |
CVE-2025-10461
Global file reads caused by improper URL checks in webserver in Softing Industri
|
| 27 |
CVE-2026-2403
CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists
|
| 27 |
CVE-2026-29133
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload
|
| 27 |
CVE-2026-35038
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 27 |
CVE-2026-3570
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access
|
| 27 |
CVE-2026-25771
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 27 |
CVE-2026-3965
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affe
|
| 27 |
CVE-2026-25878
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Ad
|
| 27 |
CVE-2026-3731
A weakness has been identified in libssh up to 0.11.3. The impacted element is t
|
| 27 |
CVE-2026-25597
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.
|
| 27 |
CVE-2026-2442
The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress
|
| 27 |
CVE-2026-1656
The Business Directory Plugin for WordPress is vulnerable to authorization bypas
|
| 27 |
CVE-2026-30885
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playli
|
| 27 |
CVE-2026-29134
SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to m
|
| 27 |
CVE-2026-3641
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in al
|
| 27 |
CVE-2026-3651
The Build App Online plugin for WordPress is vulnerable to unauthorized access i
|
| 27 |
CVE-2026-30833
Rocket.Chat is an open-source, secure, fully customizable communications platfor
|
| 27 |
CVE-2026-25983
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-33721
MapServer is a system for developing web-based GIS applications. Starting in ver
|
| 27 |
CVE-2026-20152
A vulnerability in the authentication service feature of Cisco AsyncOS Software
|
| 27 |
CVE-2026-5234
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Refer
|
| 27 |
CVE-2026-1657
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upl
|
| 27 |
CVE-2025-12500
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPre
|
| 27 |
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0
|
| 27 |
CVE-2026-1944
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthor
|
| 27 |
CVE-2026-39941
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vul
|
| 27 |
CVE-2026-34523
### Summary
A path traversal vulnerability in the static file route handler all
|
| 27 |
CVE-2025-68663
Outline is a service that allows for collaborative documentation. Prior to 1.1.0
|
| 27 |
CVE-2026-40922
SiYuan is an open-source personal knowledge management system. In versions 3.6.1
|
| 27 |
CVE-2026-27199
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and bel
|
| 27 |
CVE-2025-13079
The Popup Builder - Create highly converting, mobile friendly marketing popups.
|
| 27 |
CVE-2025-14938
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary
|
| 27 |
CVE-2026-1722
The WCFM Marketplace - Multivendor Marketplace for WooCommerce plugin for WordPr
|
| 27 |
CVE-2026-3595
The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization
|
| 27 |
CVE-2026-1558
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Obj
|
| 27 |
CVE-2026-33501
## Summary
The endpoint `plugin/Permissions/View/Users_groups_permissions/list.
|
| 27 |
CVE-2026-29794
### Summary
Unauthenticated users are able to bypass the application's built-in
|
| 27 |
CVE-2026-2861
A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an
|
| 27 |
CVE-2026-33638
## Summary
`GET /api/allusers` is mounted as a public endpoint and returns user
|
| 27 |
CVE-2026-28559
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows
|
| 27 |
CVE-2026-35208
lichess.org is the forever free, adless and open source chess server. Any approv
|
| 27 |
CVE-2026-35040
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, usin
|
| 27 |
CVE-2025-6792
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2026-39424
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 27 |
CVE-2026-32984
Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers
|
| 27 |
CVE-2026-3691
OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnera
|
| 27 |
CVE-2026-5167
The Masteriyo LMS - Online Course Builder for eLearning, LMS & Education plugin
|
| 27 |
CVE-2025-6208
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suff
|
| 27 |
CVE-2024-34438
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.T
|
| 27 |
CVE-2026-2443
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based syst
|
| 27 |
CVE-2026-25907
Dell PowerScale OneFS, version 9.13.0.0, contains an overly restrictive account
|
| 27 |
CVE-2025-15542
Improper handling of exceptional conditions in VX800v v1.0 in SIP processing all
|
| 27 |
CVE-2025-13930
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPre
|
| 27 |
CVE-2023-37525
A sensitive information disclosure in HCL BigFix Compliance allows a remote atta
|
| 27 |
CVE-2025-48840
An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 th
|
| 27 |
CVE-2026-23485
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the fi
|
| 27 |
CVE-2026-1336
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is
|
| 27 |
CVE-2026-33219
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 27 |
CVE-2026-33685
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2025-14243
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an
|
| 27 |
CVE-2026-40252
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Cont
|
| 27 |
CVE-2026-32952
A malicious NTLM challenge message can causes an slice out of bounds panic, whic
|
| 27 |
CVE-2026-33995
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 27 |
CVE-2026-31821
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/o
|
| 27 |
CVE-2026-25986
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25795
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-20106
A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functional
|
| 27 |
CVE-2026-4240
A vulnerability was determined in Open5GS up to 2.7.6. The affected element is t
|
| 27 |
CVE-2026-33132
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed u
|
| 27 |
CVE-2026-25799
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25796
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2025-15482
The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnera
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1740d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2243d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1013d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 915d |