Total CVEs
16255
last 90 days
Avg Priority
36.6
of max 220
KEV
37
actively exploited
POC
3568
public exploits
Unpatched
5446
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 58 |
CVE-2026-26267
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5
|
| 58 |
CVE-2026-25639
Axios is a promise based HTTP client for the browser and Node.js. Prior to versi
|
| 58 |
CVE-2025-70304
A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 al
|
| 58 |
CVE-2026-27114
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior
|
| 58 |
CVE-2026-30834
PinchTab is a standalone HTTP server that gives AI agents direct control over a
|
| 58 |
CVE-2026-23842
ChatterBot is a machine learning, conversational dialog engine for creating chat
|
| 58 |
CVE-2020-37133
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repe
|
| 58 |
CVE-2026-25575
NavigaTUM is a website and API to search for rooms, buildings and other places.
|
| 58 |
CVE-2019-25354
iSmartViewPro 1.3.34 contains a denial of service vulnerability that allows atta
|
| 58 |
CVE-2020-36995
Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that al
|
| 58 |
CVE-2020-37135
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers
|
| 58 |
CVE-2020-37178
KeePass Password Safe versions before 2.44 contain a denial of service vulnerabi
|
| 58 |
CVE-2025-69649
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability
|
| 58 |
CVE-2020-37146
ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerabili
|
| 58 |
CVE-2026-30852
Caddy is an extensible server platform that uses TLS by default. From version 2.
|
| 58 |
CVE-2019-25339
GHIA CamIP 1.2 for iOS contains a denial of service vulnerability in the passwor
|
| 58 |
CVE-2019-25329
FTP Navigator 8.03 contains a denial of service vulnerability that allows attack
|
| 58 |
CVE-2020-37215
MSN Password Recovery version 1.30 contains a denial of service vulnerability th
|
| 58 |
CVE-2019-25472
IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary f
|
| 58 |
CVE-2020-37212
SpotMSN 2.4.6 contains a denial of service vulnerability in the registration nam
|
| 58 |
CVE-2020-37211
SpotIM 2.2 contains a denial of service vulnerability that allows attackers to c
|
| 58 |
CVE-2020-37210
SpotIE 2.9.5 contains a denial of service vulnerability in the registration key
|
| 58 |
CVE-2020-37209
SpotFTP 3.0.0.0 contains a denial of service vulnerability in the registration n
|
| 58 |
CVE-2020-37207
SpotDialup 1.6.7 contains a denial of service vulnerability in the registration
|
| 58 |
CVE-2020-37206
ShareAlarmPro contains a denial of service vulnerability that allows attackers t
|
| 58 |
CVE-2020-37199
NBMonitor 1.6.6.0 contains a denial of service vulnerability in its registration
|
| 58 |
CVE-2020-37197
Dnss Domain Name Search Software contains a denial of service vulnerability that
|
| 58 |
CVE-2020-37196
Dnss Domain Name Search Software contains a denial of service vulnerability that
|
| 58 |
CVE-2026-2025
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one
|
| 58 |
CVE-2020-37193
ZIP Password Recovery 2.30 contains a denial of service vulnerability that allow
|
| 58 |
CVE-2020-37191
Top Password Software Dialup Password Recovery 1.30 contains a denial of service
|
| 58 |
CVE-2020-37190
Top Password Firefox Password Recovery 2.8 contains a denial of service vulnerab
|
| 58 |
CVE-2020-37180
GTalk Password Finder 2.2.1 contains a denial of service vulnerability that allo
|
| 58 |
CVE-2026-30574
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Managem
|
| 58 |
CVE-2019-25363
WMV to AVI MPEG DVD WMV Convertor 4.6.1217 contains a buffer overflow vulnerabil
|
| 58 |
CVE-2020-37157
DBPower C300 HD Camera contains a configuration disclosure vulnerability that al
|
| 58 |
CVE-2026-25222
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and ea
|
| 58 |
CVE-2025-65891
A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a
|
| 58 |
CVE-2025-65890
A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial
|
| 58 |
CVE-2019-25340
SpotAuditor 5.3.2 contains a denial of service vulnerability in its Base64 decry
|
| 58 |
CVE-2026-25758
Spree is an open source e-commerce solution built with Ruby on Rails. A critical
|
| 58 |
CVE-2025-70746
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZon
|
| 58 |
CVE-2026-0750
Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal
|
| 58 |
CVE-2026-25891
Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-
|
| 58 |
CVE-2026-4338
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to
|
| 58 |
CVE-2025-63649
An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_
|
| 58 |
CVE-2025-70999
A GPU device-ID validation flaw in the flow.cuda.get_device_capability() compone
|
| 58 |
CVE-2025-66720
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/amp
|
| 58 |
CVE-2026-30798
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional
|
| 58 |
CVE-2025-69908
An unauthenticated information disclosure vulnerability in Newgen OmniApp allows
|
| 58 |
CVE-2026-25499
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prio
|
| 58 |
CVE-2026-22782
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha
|
| 58 |
CVE-2026-25474
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channel
|
| 58 |
CVE-2025-70986
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unaut
|
| 58 |
CVE-2021-47865
ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers
|
| 58 |
CVE-2025-70244
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the webPage para
|
| 58 |
CVE-2025-70251
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the webPage para
|
| 58 |
CVE-2025-70242
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the webPage para
|
| 58 |
CVE-2025-71031
Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. T
|
| 58 |
CVE-2021-47815
Nsauditor 3.2.3 contains a denial of service vulnerability in the registration c
|
| 58 |
CVE-2021-47814
NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers
|
| 58 |
CVE-2021-47793
Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows at
|
| 58 |
CVE-2021-47791
SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities
|
| 58 |
CVE-2026-25791
Sliver is a command and control framework that uses a custom Wireguard netstack.
|
| 58 |
CVE-2026-33484
### Summary
The `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves ima
|
| 58 |
CVE-2026-25961
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, Sumatra
|
| 58 |
CVE-2026-25808
Hollo is a federated single-user microblogging software designed to be federated
|
| 58 |
CVE-2026-33497
### Summary
In the download_profile_picture function of the /profile_pictures/{f
|
| 58 |
CVE-2026-25541
Bytes is a utility library for working with bytes. From version 1.2.1 to before
|
| 58 |
CVE-2026-30827
express-rate-limit is a basic rate-limiting middleware for Express. In versions
|
| 58 |
CVE-2026-30837
Elysia is a Typescript framework for request validation, type inference, OpenAPI
|
| 58 |
CVE-2021-47831
Sandboxie 5.49.7 contains a denial of service vulnerability that allows attacker
|
| 58 |
CVE-2026-29039
changedetection.io is a free open source web page change detection tool. Prior t
|
| 58 |
CVE-2021-47827
WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashRE
|
| 58 |
CVE-2021-47818
DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that all
|
| 58 |
CVE-2020-37039
Frigate 2.02 contains a denial of service vulnerability that allows attackers to
|
| 58 |
CVE-2020-37038
Code Blocks 20.03 contains a denial of service vulnerability that allows attacke
|
| 58 |
CVE-2021-47813
Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows
|
| 58 |
CVE-2021-47797
Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allow
|
| 58 |
CVE-2021-47789
Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulner
|
| 58 |
CVE-2020-37155
Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input
|
| 58 |
CVE-2020-37122
SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability th
|
| 58 |
CVE-2020-37109
aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows
|
| 58 |
CVE-2020-37107
Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers
|
| 58 |
CVE-2021-47786
Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows a
|
| 58 |
CVE-2021-47821
RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attacke
|
| 58 |
CVE-2025-70307
A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attacker
|
| 58 |
CVE-2025-63912
Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to
|
| 58 |
CVE-2026-22863
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:cr
|
| 58 |
CVE-2026-26308
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5,
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 731d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2299d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2112d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2229d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1197d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |