Total CVEs
16506
last 90 days
Avg Priority
35.8
of max 220
KEV
37
actively exploited
POC
3185
public exploits
Unpatched
4133
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
Priority Distribution
| Priority | CVE |
|---|---|
| 25 |
CVE-2026-1258
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the
|
| 25 |
CVE-2026-31955
Xibo is an open source digital signage platform with a web content management sy
|
| 25 |
CVE-2026-0871
A flaw was found in Keycloak. An administrator with `manage-users` permission ca
|
| 25 |
CVE-2026-0816
The All push notification for WP plugin for WordPress is vulnerable to time-base
|
| 25 |
CVE-2026-27673
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise)
|
| 25 |
CVE-2026-2831
The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘lo
|
| 25 |
CVE-2025-41760
An administrator may attempt to block all traffic by configuring a pass filter w
|
| 25 |
CVE-2025-41759
An administrator may attempt to block all networks by specifying "\*" or "all" a
|
| 25 |
CVE-2026-2389
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to S
|
| 25 |
CVE-2025-8781
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vuln
|
| 25 |
CVE-2026-34164
### Summary
The `InboxHandlingService` logs the full content of every incoming
|
| 25 |
CVE-2026-29092
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerabili
|
| 25 |
CVE-2026-25310
Server-Side Request Forgery (SSRF) vulnerability in Alobaidi Extend Link extend-
|
| 25 |
CVE-2026-22203
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that all
|
| 25 |
CVE-2026-27162
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 25 |
CVE-2026-4819
In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature m
|
| 25 |
CVE-2026-32879
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 25 |
CVE-2026-2376
A flaw was found in mirror-registry where an authenticated user can trick the sy
|
| 25 |
CVE-2026-2429
The Community Events plugin for WordPress is vulnerable to SQL Injection via the
|
| 25 |
CVE-2026-33222
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 25 |
CVE-2026-4853
The JetBackup - Backup, Restore & Migrate plugin for WordPress is vulnerable to
|
| 25 |
CVE-2026-28823
A path handling issue was addressed with improved validation. This issue is fixe
|
| 25 |
CVE-2026-39631
Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolp
|
| 25 |
CVE-2026-39521
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content
|
| 25 |
CVE-2026-20693
This issue was addressed through improved state management. This issue is fixed
|
| 25 |
CVE-2026-3221
Sensitive
user account information is not encrypted in the database in Devoluti
|
| 25 |
CVE-2026-22626
Due to insufficient input parameter validation on the interface, authenticated u
|
| 25 |
CVE-2026-34061
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 25 |
CVE-2026-32349
Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer
|
| 25 |
CVE-2026-31799
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 25 |
CVE-2026-30228
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 25 |
CVE-2026-3330
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via
|
| 25 |
CVE-2026-33158
### Summary
A low-privileged authenticated user can read private asset content
|
| 25 |
CVE-2026-4917
IBM Guardium Data Protection 12.1 could allow an administrative user to traverse
|
| 25 |
CVE-2026-22692
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2025-12772
Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on
|
| 25 |
CVE-2025-12680
Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear tex
|
| 25 |
CVE-2026-25125
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-29516
Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an
|
| 25 |
CVE-2026-1274
IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to a Bypass Busi
|
| 25 |
CVE-2026-30873
OpenWrt Project is a Linux operating system targeting embedded devices. In versi
|
| 25 |
CVE-2026-40962
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via
|
| 24 |
CVE-2026-31050
Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allow
|
| 24 |
CVE-2026-5794
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate
|
| 24 |
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 24 |
CVE-2026-33738
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the
|
| 24 |
CVE-2026-28475
OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for
|
| 24 |
CVE-2025-0577
An insufficient entropy vulnerability was found in glibc. The getrandom and arc4
|
| 24 |
CVE-2026-25100
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload fu
|
| 24 |
CVE-2026-1001
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerab
|
| 24 |
CVE-2026-26717
An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The applicat
|
| 24 |
CVE-2026-21291
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 24 |
CVE-2026-1787
The LearnPress Export Import - WordPress extension for LearnPress plugin for Wor
|
| 24 |
CVE-2026-1356
The Converter for Media - Optimize images | Convert WebP & AVIF plugin for WordP
|
| 24 |
CVE-2026-24147
NVIDIA Triton Inference Server contains a vulnerability in triton server where a
|
| 24 |
CVE-2026-31993
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulne
|
| 24 |
CVE-2025-41257
Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without
|
| 24 |
CVE-2026-4816
A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support B
|
| 24 |
CVE-2026-3024
Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, s
|
| 24 |
CVE-2026-1711
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site
|
| 24 |
CVE-2026-27974
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scrip
|
| 24 |
CVE-2025-62184
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site
|
| 24 |
CVE-2026-3468
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Son
|
| 24 |
CVE-2026-31867
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0
|
| 24 |
CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2026-33621
### Summary
PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-thrott
|
| 24 |
CVE-2026-42041
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 24 |
CVE-2026-1553
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Br
|
| 24 |
CVE-2026-39410
## Summary
A discrepancy between browser cookie parsing and `parse()` handling
|
| 24 |
CVE-2026-28692
ImageMagick is free and open-source software used for editing and manipulating d
|
| 24 |
CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before versio
|
| 24 |
CVE-2026-33869
Mastodon is a free, open-source social network server based on ActivityPub. In v
|
| 24 |
CVE-2026-32031
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypa
|
| 24 |
CVE-2026-20111
A vulnerability in the web-based management interface of Cisco Prime Infrastruct
|
| 24 |
CVE-2026-41297
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2026-41302
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2026-20091
A vulnerability in the web-based management interface of Cisco FXOS Software and
|
| 24 |
CVE-2026-40606
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration t
|
| 24 |
CVE-2025-53608
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 24 |
CVE-2025-70973
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSES
|
| 24 |
CVE-2026-20090
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20088
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20087
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20089
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20132
Multiple vulnerabilities in the web-based management interface of Cisco Identity
|
| 24 |
CVE-2026-0947
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-31823
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored
|
| 24 |
CVE-2026-20112
A vulnerability in the web-based Cisco IOx application hosting environment manag
|
| 24 |
CVE-2026-27447
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 24 |
CVE-2026-34321
Vulnerability in the Oracle Financial Services Analytical Applications Infrastru
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 746d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2314d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2127d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1741d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2244d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4992d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1212d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1014d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3769d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 916d |