Total CVEs
16432
last 90 days
Avg Priority
36.9
of max 220
KEV
37
actively exploited
POC
3211
public exploits
Unpatched
4268
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-35629
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability i
|
| 27 |
CVE-2026-6729
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation
|
| 27 |
CVE-2026-6767
Other issue in the Libraries component in NSS. This vulnerability was fixed in F
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-35450
## Summary
The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg re
|
| 27 |
CVE-2026-27884
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_p
|
| 27 |
CVE-2026-3683
A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the
|
| 27 |
CVE-2026-35543
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-3681
A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects
|
| 27 |
CVE-2026-27486
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the Open
|
| 27 |
CVE-2026-20682
A logic issue was addressed with improved state management. This issue is fixed
|
| 27 |
CVE-2026-3567
The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress is vulnerable t
|
| 27 |
CVE-2025-8055
Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Serv
|
| 27 |
CVE-2026-1772
RTU500 web interface: An unprivileged user can read user management information.
|
| 27 |
CVE-2026-5240
A security vulnerability has been detected in code-projects BloodBank Managing S
|
| 27 |
CVE-2025-15507
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2026-26031
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2026-6559
A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the fu
|
| 27 |
CVE-2026-3610
A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affe
|
| 27 |
CVE-2026-3982
A vulnerability was determined in itsourcecode University Management System 1.0.
|
| 27 |
CVE-2026-3993
A security vulnerability has been detected in itsourcecode Payroll Management Sy
|
| 27 |
CVE-2026-5315
A vulnerability was determined in Nothings stb up to 1.26. The affected element
|
| 27 |
CVE-2026-27631
Exiv2 is a C++ library and a command-line utility to read, write, delete and mod
|
| 27 |
CVE-2026-20676
This issue was addressed through improved state management. This issue is fixed
|
| 27 |
CVE-2026-7200
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0.
|
| 27 |
CVE-2026-5623
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affe
|
| 27 |
CVE-2026-28407
malcontent is software for discovering supply-chain compromises through context,
|
| 27 |
CVE-2026-2519
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPre
|
| 27 |
CVE-2026-6778
Invalid pointer in the Audio/Video: Playback component. This vulnerability was f
|
| 27 |
CVE-2026-27193
Feathersjs is a framework for creating web APIs and real-time applications with
|
| 27 |
CVE-2026-6215
A weakness has been identified in DbGate up to 7.1.4. The impacted element is th
|
| 27 |
CVE-2026-5205
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulner
|
| 27 |
CVE-2026-5530
A flaw has been found in Ollama up to 18.1. This issue affects some unknown proc
|
| 27 |
CVE-2026-5380
An issue that could allow an authorized user to view the clear-text secrets for
|
| 27 |
CVE-2026-1675
The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization
|
| 27 |
CVE-2026-3546
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Informat
|
| 27 |
CVE-2026-4548
A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affecte
|
| 27 |
CVE-2026-3649
The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authori
|
| 27 |
CVE-2026-5886
Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 al
|
| 27 |
CVE-2026-34369
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-33866
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used
|
| 27 |
CVE-2026-6765
Information disclosure in the Form Autofill component. This vulnerability was fi
|
| 27 |
CVE-2026-5313
A vulnerability has been found in Nothings stb up to 2.30. This issue affects th
|
| 27 |
CVE-2026-2385
The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widget
|
| 27 |
CVE-2026-0748
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allo
|
| 27 |
CVE-2026-22013
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente
|
| 27 |
CVE-2026-40908
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the fi
|
| 27 |
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3
|
| 27 |
CVE-2026-0540
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f,
|
| 27 |
CVE-2026-41128
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14
|
| 27 |
CVE-2026-35592
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-3990
A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected
|
| 27 |
CVE-2026-21999
Vulnerability in the XML Database component of Oracle Database Server. Supporte
|
| 27 |
CVE-2026-7230
A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected e
|
| 27 |
CVE-2026-3642
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-27454
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-39921
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-6829
nesquena hermes-webui contains a trust-boundary failure vulnerability that allow
|
| 27 |
CVE-2026-25742
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is
|
| 27 |
CVE-2026-40099
### TL;DR
This vulnerability affects all Kirby sites where users have the permi
|
| 27 |
CVE-2026-33041
### Summary
`/objects/encryptPass.json.php` exposes the application's password
|
| 27 |
CVE-2026-3023
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web applicatio
|
| 27 |
CVE-2026-31815
Unicorn adds modern reactive component functionality to your Django templates. P
|
| 27 |
CVE-2025-36425
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through
|
| 27 |
CVE-2026-1769
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 27 |
CVE-2026-39626
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-39625
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-24749
The Silverstripe Assets Module is a required component of Silverstripe Framework
|
| 27 |
CVE-2026-2373
The Royal Addons for Elementor - Addons and Templates Kit for Elementor plugin f
|
| 27 |
CVE-2026-33617
An unauthenticated remote attacker can access a configuration file containing da
|
| 27 |
CVE-2026-22748
Vulnerability in Spring Spring Security. When an application configures JWT deco
|
| 27 |
CVE-2025-10734
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 27 |
CVE-2026-34786
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2025-13997
The King Addons for Elementor - 4,000+ ready Elementor sections, 650+ templates,
|
| 27 |
CVE-2026-34064
### Impact
`VestingContract::can_change_balance` returns `AccountError::Insuffic
|
| 27 |
CVE-2026-32322
soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 2
|
| 27 |
CVE-2026-5890
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attac
|
| 27 |
CVE-2026-0679
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization b
|
| 27 |
CVE-2026-39412
### Summary
The `sort_natural` filter bypasses the `ownPropertyOnly` security o
|
| 27 |
CVE-2026-31888
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store
|
| 27 |
CVE-2026-39712
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-32002
OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in t
|
| 27 |
CVE-2026-31825
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters Prod
|
| 27 |
CVE-2026-1797
The Appointment Booking and Scheduler Plugin - Truebooker plugin for WordPress i
|
| 27 |
CVE-2026-33688
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-39629
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-39628
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-34715
### Summary
The `encode_headers` function in `src/ewe/internal/encoder.gleam` d
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1741d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2244d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4991d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1014d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3768d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 916d |