Total CVEs
16482
last 90 days
Avg Priority
36.9
of max 220
KEV
36
actively exploited
POC
3232
public exploits
Unpatched
4323
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-33132
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed u
|
| 27 |
CVE-2026-25799
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25638
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25123
Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated)
|
| 27 |
CVE-2026-26271
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 27 |
CVE-2026-3506
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization
|
| 27 |
CVE-2026-3961
A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3.
|
| 27 |
CVE-2026-22422
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2025-13973
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensi
|
| 27 |
CVE-2026-25006
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-28132
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-21286
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 27 |
CVE-2025-13980
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 27 |
CVE-2025-12074
The Context Blog theme for WordPress is vulnerable to Information Exposure in al
|
| 27 |
CVE-2026-25348
Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai
|
| 27 |
CVE-2026-25336
Missing Authorization vulnerability in wpcoachify Coachify coachify allows Explo
|
| 27 |
CVE-2026-28351
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4,
|
| 27 |
CVE-2026-25970
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25969
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-2207
A weakness has been identified in WeKan up to 8.20. This issue affects some unkn
|
| 27 |
CVE-2026-27610
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In ver
|
| 27 |
CVE-2026-25988
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-7045
A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by
|
| 27 |
CVE-2024-39724
IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5
|
| 27 |
CVE-2025-15563
Any unauthenticated user can reset the WorkTime on-prem database configuration b
|
| 27 |
CVE-2026-25637
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-39407
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 27 |
CVE-2026-24484
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2025-69325
Path Traversal: '.../...//' vulnerability in primersoftware Primer MyData for Wo
|
| 27 |
CVE-2026-33425
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-2888
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypa
|
| 27 |
CVE-2026-5512
An improper authorization vulnerability was identified in GitHub Enterprise Serv
|
| 27 |
CVE-2026-1980
The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure
|
| 27 |
CVE-2026-39851
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.
|
| 27 |
CVE-2026-40086
Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal v
|
| 27 |
CVE-2026-35483
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35484
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementatio
|
| 27 |
CVE-2026-34066
### Impact
`HistoryStore::put_historic_txns` uses an `assert!` to enforce invari
|
| 27 |
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-29069
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-bet
|
| 27 |
CVE-2026-34736
Open edX Platform enables the authoring and delivery of online learning at any s
|
| 27 |
CVE-2026-24321
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allo
|
| 27 |
CVE-2026-6675
The Responsive Blocks - Page Builder for Blocks & Patterns plugin for WordPress
|
| 27 |
CVE-2026-32921
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run
|
| 27 |
CVE-2026-1537
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 27 |
CVE-2026-40152
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files()
|
| 27 |
CVE-2026-34425
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass
|
| 27 |
CVE-2025-69241
Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in
|
| 27 |
CVE-2026-35608
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored X
|
| 27 |
CVE-2026-34718
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2025-12518
beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in
|
| 27 |
CVE-2025-66335
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper
|
| 27 |
CVE-2026-30878
baserCMS is a website development framework. Prior to version 5.2.3, a public ma
|
| 27 |
CVE-2026-2400
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerabilit
|
| 27 |
CVE-2026-32243
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-35390
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior
|
| 27 |
CVE-2026-33936
## Summary
An issue in the low-level DER parsing functions can cause unexpected
|
| 27 |
CVE-2025-13842
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass
|
| 27 |
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-27021
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 27 |
CVE-2026-35166
### Impact
Links and image links in the default markdown to HTML renderer are no
|
| 27 |
CVE-2026-40100
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/
|
| 27 |
CVE-2026-32305
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below,
|
| 27 |
CVE-2026-3307
An authorization bypass vulnerability was identified in GitHub Enterprise Server
|
| 27 |
CVE-2026-41344
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the c
|
| 27 |
CVE-2026-4649
Apache Artemis before version 2.52.0 is affected by an authentication bypass fla
|
| 27 |
CVE-2026-26983
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-28804
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5,
|
| 27 |
CVE-2026-30938
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-3475
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated
|
| 27 |
CVE-2026-3419
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing
|
| 27 |
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 27 |
CVE-2026-34574
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-3955
A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by t
|
| 27 |
CVE-2026-1725
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 befo
|
| 27 |
CVE-2026-33761
## Summary
Three `list.json.php` endpoints in the Scheduler plugin lack any aut
|
| 27 |
CVE-2026-24299
Improper neutralization of special elements used in a command ('command injectio
|
| 27 |
CVE-2026-40347
### Summary
A denial of service vulnerability exists when parsing crafted `mult
|
| 27 |
CVE-2026-6994
A weakness has been identified in Envoy up to 1.33.0. Affected is the function p
|
| 27 |
CVE-2026-33763
## Summary
The `get_api_video_password_is_correct` API endpoint allows any unau
|
| 27 |
CVE-2026-31808
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a d
|
| 27 |
CVE-2025-13822
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some end
|
| 27 |
CVE-2025-13985
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Bro
|
| 27 |
CVE-2023-38265
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could discl
|
| 27 |
CVE-2026-3733
A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unk
|
| 27 |
CVE-2026-6779
Other issue in the JavaScript Engine component. This vulnerability was fixed in
|
| 27 |
CVE-2026-0394
When dovecot has been configured to use per-domain passwd files, and they are pl
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1740d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2244d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1013d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 915d |