Total CVEs
16452
last 90 days
Avg Priority
36.9
of max 220
KEV
37
actively exploited
POC
3214
public exploits
Unpatched
4301
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-1782
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation
|
| 27 |
CVE-2026-26945
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.1
|
| 27 |
CVE-2026-1371
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-28675
OpenSift is an AI study tool that sifts through large datasets using semantic se
|
| 27 |
CVE-2026-42037
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to
|
| 27 |
CVE-2026-33766
## Summary
`isSSRFSafeURL()` validates URLs against private/reserved IP ranges
|
| 27 |
CVE-2026-3682
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. T
|
| 27 |
CVE-2025-55704
Hidden functionality issue exists in multiple MFPs provided by Brother Industrie
|
| 27 |
CVE-2026-3697
A vulnerability was determined in Planet ICG-2510 1.0_20250811. The impacted ele
|
| 27 |
CVE-2026-23488
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /a
|
| 27 |
CVE-2026-3992
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1.
|
| 27 |
CVE-2026-3968
A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affec
|
| 27 |
CVE-2026-3967
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this is
|
| 27 |
CVE-2026-0944
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Gro
|
| 27 |
CVE-2026-23486
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publ
|
| 27 |
CVE-2026-33192
**Impact**
This is an Improper Error Handling vulnerability with Information E
|
| 27 |
CVE-2026-32586
Missing Authorization vulnerability in Pluggabl Booster for WooCommerce allows E
|
| 27 |
CVE-2025-13113
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensiti
|
| 27 |
CVE-2026-0909
The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Refere
|
| 27 |
CVE-2026-27448
If a user provided callback to `set_tlsext_servername_callback` raised an unhand
|
| 27 |
CVE-2026-24967
Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows
|
| 27 |
CVE-2023-38010
IBM Cloud Pak System displays sensitive information in user messages that could
|
| 27 |
CVE-2026-25019
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collabora
|
| 27 |
CVE-2025-66605
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-31901
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-24982
Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-
|
| 27 |
CVE-2026-23623
Collabora Online is a collaborative online office suite based on LibreOffice tec
|
| 27 |
CVE-2026-30859
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 27 |
CVE-2026-24994
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sun
|
| 27 |
CVE-2026-1833
The WaMate Confirm - Order Confirmation plugin for WordPress is vulnerable to un
|
| 27 |
CVE-2026-4985
A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability af
|
| 27 |
CVE-2025-14608
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct
|
| 27 |
CVE-2026-24997
Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Manag
|
| 27 |
CVE-2026-25987
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-24945
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form
|
| 27 |
CVE-2026-24991
Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Ext
|
| 27 |
CVE-2026-20673
A logic issue was addressed with improved checks. This issue is fixed in macOS S
|
| 27 |
CVE-2026-25010
Missing Authorization vulnerability in ILLID Share This Image share-this-image a
|
| 27 |
CVE-2026-3550
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all
|
| 27 |
CVE-2026-25012
Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pr
|
| 27 |
CVE-2025-7630
Improper Restriction of Excessive Authentication Attempts, Improper Authenticati
|
| 27 |
CVE-2026-22021
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente
|
| 27 |
CVE-2026-34069
### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` messag
|
| 27 |
CVE-2025-14067
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access
|
| 27 |
CVE-2026-28360
NocoDB is software for building databases as spreadsheets. Prior to version 0.30
|
| 27 |
CVE-2026-4733
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixra
|
| 27 |
CVE-2026-26196
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs ap
|
| 27 |
CVE-2026-41322
### Summary
Requesting a static JS/CSS resource from the `_astro` path with an i
|
| 27 |
CVE-2026-27859
A mail message containing excessive amount of RFC 2231 MIME parameters causes LM
|
| 27 |
CVE-2026-42036
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 27 |
CVE-2026-42034
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 27 |
CVE-2026-33481
### Impact
Syft versions before v1.42.3 would not properly cleanup temporary sto
|
| 27 |
CVE-2025-14831
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS)
|
| 27 |
CVE-2026-4751
NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmat
|
| 27 |
CVE-2026-33899
When `Magick` parses an XML file it is possible that a single zero byte is writt
|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-34979
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 27 |
CVE-2025-13212
IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to caus
|
| 27 |
CVE-2026-35468
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 27 |
CVE-2026-28471
OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed
|
| 27 |
CVE-2026-39886
OpenEXR provides the specification and reference implementation of the EXR file
|
| 27 |
CVE-2026-25023
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-34826
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-3460
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direc
|
| 27 |
CVE-2026-29774
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0
|
| 27 |
CVE-2026-32867
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to
|
| 27 |
CVE-2026-24998
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-28687
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-29775
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0
|
| 27 |
CVE-2026-24992
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Adv
|
| 27 |
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 27 |
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 27 |
CVE-2025-66594
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-39406
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 27 |
CVE-2026-35583
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the config
|
| 27 |
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in
|
| 27 |
CVE-2026-33537
Lychee is a free, open-source photo-management tool. The patch introduced for GH
|
| 27 |
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90,
|
| 27 |
CVE-2026-2263
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 27 |
CVE-2026-34837
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-34782
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-3210
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful B
|
| 27 |
CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2025-15565
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of
|
| 27 |
CVE-2026-35578
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-32615
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-35179
## Summary
The SocialMediaPublisher plugin exposes a `publishInstagram.json.php
|
| 27 |
CVE-2026-35023
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct obj
|
| 27 |
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2025-14079
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1741d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2244d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1014d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 916d |