Total CVEs
16430
last 90 days
Avg Priority
36.9
of max 220
KEV
37
actively exploited
POC
3209
public exploits
Unpatched
4283
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-26744
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the pass
|
| 27 |
CVE-2026-2752
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A re
|
| 27 |
CVE-2025-13473
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4
|
| 27 |
CVE-2026-27368
Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construc
|
| 27 |
CVE-2026-34062
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version
|
| 27 |
CVE-2026-27328
Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploi
|
| 27 |
CVE-2026-23543
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elemento
|
| 27 |
CVE-2026-23548
Missing Authorization vulnerability in designinvento DirectoryPress directorypre
|
| 27 |
CVE-2026-24375
Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooComm
|
| 27 |
CVE-2026-24999
Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce al
|
| 27 |
CVE-2026-32990
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fi
|
| 27 |
CVE-2026-32636
The NewXMLTree method contains a bug that could result in a crash due to an out
|
| 27 |
CVE-2026-25000
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life
|
| 27 |
CVE-2026-25005
Authorization Bypass Through User-Controlled Key vulnerability in N-Media Fronte
|
| 27 |
CVE-2026-28413
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior
|
| 27 |
CVE-2026-25315
Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-for
|
| 27 |
CVE-2026-25320
Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb
|
| 27 |
CVE-2026-25321
Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy all
|
| 27 |
CVE-2026-2356
The User Registration & Membership - Custom Registration Form, Login Form, and U
|
| 27 |
CVE-2026-25324
Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Sy
|
| 27 |
CVE-2026-26895
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote
|
| 27 |
CVE-2026-27066
Missing Authorization vulnerability in PI Web Solution Live sales notification f
|
| 27 |
CVE-2026-25332
Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation en
|
| 27 |
CVE-2026-25333
Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows
|
| 27 |
CVE-2026-25338
Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Conte
|
| 27 |
CVE-2026-25364
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoi
|
| 27 |
CVE-2026-25367
Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows
|
| 27 |
CVE-2026-27411
Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allow
|
| 27 |
CVE-2026-25370
Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-opti
|
| 27 |
CVE-2026-1996
Certain HP OfficeJet Pro printers may be vulnerable to potential denial of servi
|
| 27 |
CVE-2026-25374
Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon all
|
| 27 |
CVE-2026-22040
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version
|
| 27 |
CVE-2026-25384
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-
|
| 27 |
CVE-2026-25386
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows
|
| 27 |
CVE-2026-25404
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager
|
| 27 |
CVE-2026-25408
Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link
|
| 27 |
CVE-2026-25415
Missing Authorization vulnerability in iqonicdesign WPBookit Pro wpbookit-pro al
|
| 27 |
CVE-2026-25441
Missing Authorization vulnerability in LeadConnector LeadConnector leadconnector
|
| 27 |
CVE-2026-27042
Missing Authorization vulnerability in WPDeveloper NotificationX notificationx a
|
| 27 |
CVE-2026-3616
A vulnerability was detected in DefaultFuction Jeson Customer Relationship Manag
|
| 27 |
CVE-2026-2589
The Greenshift - animation and page builder blocks plugin for WordPress is vulne
|
| 27 |
CVE-2026-25325
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-3958
A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue aff
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-25389
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-22321
A stack-based buffer overflow in the device's Telnet/SSH CLI login routine occur
|
| 27 |
CVE-2026-25043
Budibase is an open-source low-code platform. Prior to version 3.23.25, a busine
|
| 27 |
CVE-2026-3962
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b
|
| 27 |
CVE-2026-5808
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae31
|
| 27 |
CVE-2026-2605
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 27 |
CVE-2026-40087
LangChain's f-string prompt-template validation was incomplete in two respects.
|
| 27 |
CVE-2026-1650
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized dat
|
| 27 |
CVE-2026-3075
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-40304
Summary
The unaccess handler (controller/unaccess.go) contains a logical error i
|
| 27 |
CVE-2026-3951
A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. A
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-5670
A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-39922
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-7107
A weakness has been identified in code-projects Invoice System in Laravel 1.0. T
|
| 27 |
CVE-2026-1919
The Booking Calendar for Appointments and Service Businesses - Booktics plugin f
|
| 27 |
CVE-2026-1314
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plug
|
| 27 |
CVE-2026-1303
The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorizat
|
| 27 |
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-4654
The Awesome Support - WordPress HelpDesk & Support Plugin plugin for WordPress i
|
| 27 |
CVE-2026-6797
A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected b
|
| 27 |
CVE-2026-1920
The Booking Calendar for Appointments and Service Businesses - Booktics plugin f
|
| 27 |
CVE-2025-14944
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization
|
| 27 |
CVE-2026-20009
A vulnerability in the implementation of the proprietary SSH stack with SSH key-
|
| 27 |
CVE-2026-5488
The ExactMetrics - Google Analytics Dashboard for WordPress plugin for WordPress
|
| 27 |
CVE-2025-14357
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized mod
|
| 27 |
CVE-2026-4325
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 27 |
CVE-2026-1658
User Interface (UI) Misrepresentation of Critical Information vulnerability in O
|
| 27 |
CVE-2026-35450
## Summary
The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg re
|
| 27 |
CVE-2025-13726
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 thro
|
| 27 |
CVE-2026-2456
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Matt
|
| 27 |
CVE-2026-27884
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_p
|
| 27 |
CVE-2026-35452
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone oper
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-6767
Other issue in the Libraries component in NSS. This vulnerability was fixed in F
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35629
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability i
|
| 27 |
CVE-2026-3683
A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the
|
| 27 |
CVE-2026-3681
A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
| 27 |
CVE-2026-35544
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici
|
| 27 |
CVE-2026-35543
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-40151
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deploymen
|
| 27 |
CVE-2026-35542
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1741d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2244d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1014d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 916d |