Total CVEs
16579
last 90 days
Avg Priority
35.8
of max 220
KEV
35
actively exploited
POC
3154
public exploits
Unpatched
4125
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
119
CVE-2026-3910
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker
119
CVE-2026-3909
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to per
Priority Distribution
| Priority | CVE |
|---|---|
| 10 |
CVE-2026-2642
A security vulnerability has been detected in ggreer the_silver_searcher up to 2
|
| 10 |
CVE-2025-52645
HCL AION is affected by a vulnerability where model packaging and distribution m
|
| 10 |
CVE-2026-5236
A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is
|
| 10 |
CVE-2026-34850
Race condition vulnerability in the notification service.
Impact: Successful exp
|
| 10 |
CVE-2026-3383
A weakness has been identified in ChaiScript up to 6.1.0. This affects the funct
|
| 10 |
CVE-2026-7269
A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System
|
| 9 |
CVE-2025-52636
HCL AION is affected by a vulnerability related to the handling of upload size l
|
| 9 |
CVE-2025-52649
HCL AION is affected by a vulnerability where certain identifiers may be predict
|
| 9 |
CVE-2026-41677
The `*_from_pem_callback` APIs did not validate the length returned by the user'
|
| 9 |
CVE-2026-32766
## Impact
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX exte
|
| 9 |
CVE-2026-32270
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through
|
| 9 |
CVE-2026-34743
XZ Utils provide a general-purpose data-compression library plus command-line to
|
| 9 |
CVE-2026-27820
zlib is a Ruby interface for the zlib compression/decompression library. Version
|
| 9 |
CVE-2026-40072
web3.py allows you to interact with the Ethereum blockchain using Python. From 6
|
| 9 |
CVE-2026-32236
Backstage is an open framework for building developer portals. Prior to 0.27.1,
|
| 9 |
CVE-2026-34073
## Summary
In versions of cryptography prior to 46.0.5, DNS name constraints we
|
| 9 |
CVE-2025-61641
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associate
|
| 9 |
CVE-2026-3706
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the fu
|
| 7 |
CVE-2026-4395
Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex()
|
| 7 |
CVE-2026-3405
A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected el
|
| 7 |
CVE-2026-7085
A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulner
|
| 7 |
CVE-2025-61658
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associate
|
| 7 |
CVE-2026-7317
A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by t
|
| 7 |
CVE-2026-2964
A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impact
|
| 7 |
CVE-2026-3465
A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected
|
| 7 |
CVE-2026-41430
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subsc
|
| 7 |
CVE-2026-33402
Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 throug
|
| 7 |
CVE-2026-28436
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and
|
| 7 |
CVE-2025-12141
In Grafana's alerting system, users with edit permissions for a contact point, s
|
| 7 |
CVE-2026-33161
### Summary
A low-privileged authenticated user can call `assets/image-editor`
|
| 7 |
CVE-2026-33423
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 7 |
CVE-2026-3668
A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This aff
|
| 7 |
CVE-2026-2702
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue
|
| 7 |
CVE-2025-67476
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associate
|
| 7 |
CVE-2026-4477
A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_201710241
|
| 6 |
CVE-2026-3230
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest hand
|
| 6 |
CVE-2026-33284
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0
|
| 6 |
CVE-2025-61646
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associate
|
| 6 |
CVE-2026-4159
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted c
|
| 6 |
CVE-2026-3229
An integer overflow vulnerability existed in the static function wolfssl_add_to_
|
| 6 |
CVE-2026-5473
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is
|
| 6 |
CVE-2026-4243
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts
|
| 6 |
CVE-2026-2974
A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. Th
|
| 5 |
CVE-2026-1735
A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue
|
| 5 |
CVE-2026-34983
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is
|
| 5 |
CVE-2026-40319
## Summary
The RegexMatching check in the `giskard-checks` package passes a user
|
| 5 |
CVE-2025-62843
An improper restriction of communication channel to intended endpoints vulnerabi
|
| 3 |
CVE-2026-41140
### Summary
The `extractall()` function in `src/poetry/utils/helpers.py:410-426
|
| 3 |
CVE-2026-33525
### Impact
**Official Weighted Severity Rating:** Low
This exploit is very unl
|
| 2 |
CVE-2025-61647
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associate
|
| 1 |
CVE-2026-26220
LightLLM version 1.1.0 and prior contain an unauthenticated remote code executio
|
| 1 |
CVE-2026-1723
Improper Neutralization of Special Elements used in an OS Command ('OS Command I
|
| 0 |
CVE-2025-15579
Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services
|
| 0 |
CVE-2026-21665
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velo
|
| 0 |
CVE-2026-2464
Path traversal vulnerability in the AMR Printer Management 1.01 Beta web service
|
| 0 |
CVE-2025-40697
Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMe
|
| 0 |
CVE-2026-2584
A critical SQL Injection (SQLi) vulnerability has been identified in the authent
|
| 0 |
CVE-2026-2742
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0,
|
| 0 |
CVE-2026-2473
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI fro
|
| 0 |
CVE-2026-0542
ServiceNow has addressed a remote code execution vulnerability that was identifi
|
| 0 |
CVE-2025-26385
Johnson Controls Metasys component listed below have Improper Neutralization of
|
| 0 |
CVE-2026-23600
A remote authentication bypass vulnerability
exists in HPE AutoPass License S
|
| 0 |
CVE-2025-24293
# Active Storage allowed transformation methods potentially unsafe
Active Sto
|
| 0 |
CVE-2026-2731
Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8
|
| 0 |
CVE-2026-32843
Location Aware Sensor System by Linkit ONE, up to commit f06bd20 (2023-04-26), c
|
| 0 |
CVE-2026-2472
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component o
|
| 0 |
CVE-2026-1876
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corpo
|
| 0 |
CVE-2026-2880
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication
|
| 0 |
CVE-2026-1523
Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION D
|
| 0 |
CVE-2026-27830
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously
|
| 0 |
CVE-2026-2274
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet
|
| 0 |
CVE-2026-26215
manga-image-translator version beta-0.3 and prior in shared API mode contains an
|
| 0 |
CVE-2025-67480
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associate
|
| 0 |
CVE-2025-15568
A command injection vulnerability was identified in the web module of Archer AXE
|
| 0 |
CVE-2026-26205
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior
|
| 0 |
CVE-2026-2247
SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generat
|
| 0 |
CVE-2026-28384
An improper sanitization of the compression_algorithm parameter in Canonical LXD
|
| 0 |
CVE-2026-31900
Black is the uncompromising Python code formatter. Black provides a GitHub actio
|
| 0 |
CVE-2025-15586
OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 a
|
| 0 |
CVE-2025-65077
A relative path traversal vulnerability has been identified in the Embedded Solu
|
| 0 |
CVE-2025-61652
Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects Discuss
|
| 0 |
CVE-2026-41144
F´ (F Prime) is a framework that enables development and deployment of spaceflig
|
| 0 |
CVE-2025-15498
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of inp
|
| 0 |
CVE-2026-29783
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422
|
| 0 |
CVE-2026-26063
CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in Cedi
|
| 0 |
CVE-2025-52534
Improper bound check within AMD CPU microcode can allow a malicious guest to wri
|
| 0 |
CVE-2026-1186
EAP Legislator is vulnerable to Path Traversal in file extraction functionality.
|
| 0 |
CVE-2025-61653
Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associ
|
| 0 |
CVE-2026-1241
The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authent
|
| 0 |
CVE-2025-41002
SQL injection vulnerability in Infoticketing. This vulnerability allows
an unau
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 748d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2315d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2128d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1742d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2245d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4993d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1213d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1015d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3770d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 917d |