Total CVEs
16576
last 90 days
Avg Priority
35.8
of max 220
KEV
35
actively exploited
POC
3153
public exploits
Unpatched
4121
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-39987
## Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `
119
CVE-2026-3910
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker
119
CVE-2026-3909
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to per
Priority Distribution
| Priority | CVE |
|---|---|
| 0 |
CVE-2025-61648
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2026-2337
A vulnerability in Plunet Plunet BusinessManager allows session hijacking, data
|
| 0 |
CVE-2025-61644
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2025-61650
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2025-61651
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2025-11004
The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vu
|
| 0 |
CVE-2026-28355
Canarytokens help track activity and actions on a network. Versions prior to `sh
|
| 0 |
CVE-2026-27701
LiveCode is an open-source, client-side code playground. Prior to commit e151c64
|
| 0 |
CVE-2026-1301
In builds with PubSub and JSON enabled, a crafted JSON message can cause the dec
|
| 0 |
CVE-2025-61649
Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associate
|
| 0 |
CVE-2026-1788
: Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux
|
| 0 |
CVE-2025-41085
Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2
|
| 0 |
CVE-2025-41065
Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6.
|
| 0 |
CVE-2026-1727
The Agentspace service was affected by a vulnerability that exposed sensitive in
|
| 0 |
CVE-2025-7964
After receiving a
malformed 802.15.4 MAC Data Request
the Zigbee Coordinator
|
| 0 |
CVE-2026-31976
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an atta
|
| 0 |
CVE-2025-66600
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 0 |
CVE-2025-65080
A type confusion vulnerability has been identified in the Postscript interpreter
|
| 0 |
CVE-2025-14340
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54
|
| 0 |
CVE-2025-15497
Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 all
|
| 0 |
CVE-2026-0620
When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections
|
| 0 |
CVE-2026-29522
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inc
|
| 0 |
CVE-2025-62183
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site
|
| 0 |
CVE-2026-0873
On a Cryptobox platform where administrator segregation based on entities is use
|
| 0 |
CVE-2026-2741
Specially crafted ZIP archives can escape the intended extraction directory duri
|
| 0 |
CVE-2026-3304
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerabili
|
| 0 |
CVE-2025-66599
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 0 |
CVE-2026-2359
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerabili
|
| 0 |
CVE-2026-27739
The Angular SSR is a server-rise rendering tool for Angular applications. Versio
|
| 0 |
CVE-2026-27738
The Angular SSR is a server-rise rendering tool for Angular applications. An Ope
|
| 0 |
CVE-2026-26957
Libredesk is a self-hosted customer support desk application. Versions prior to
|
| 0 |
CVE-2025-14547
An integer underflow vulnerability is present in Silicon Lab’s implementation of
|
| 0 |
CVE-2026-2344
A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions bei
|
| 0 |
CVE-2026-26958
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic c
|
| 0 |
CVE-2026-24044
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack us
|
| 0 |
CVE-2025-61656
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2026-1842
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be
|
| 0 |
CVE-2026-32728
### Impact
An attacker who is allowed to upload files can bypass the file exten
|
| 0 |
CVE-2025-65079
A heap-based buffer overflow vulnerability has been identified in the Postscript
|
| 0 |
CVE-2025-71197
In the Linux kernel, the following vulnerability has been resolved:
w1: therm:
|
| 0 |
CVE-2025-65081
An out-of-bounds read vulnerability has been identified in the Postscript interp
|
| 0 |
CVE-2026-32232
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlin
|
| 0 |
CVE-2026-1471
Excessive caching of authentication context in Neo4j Enterprise edition versions
|
| 0 |
CVE-2026-23741
Asterisk is an open source private branch exchange and telephony toolkit. Prior
|
| 0 |
CVE-2026-0619
A reachable infinite loop via an integer wraparound is present in Silicon Labs'
|
| 0 |
CVE-2026-3206
Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (
|
| 0 |
CVE-2026-2513
A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0
|
| 0 |
CVE-2026-0689
In ExtremeCloud IQ - Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the
|
| 0 |
CVE-2026-27887
Spin is an open source developer tool for building and running serverless applic
|
| 0 |
CVE-2025-52533
Improper Access Control in an on-chip debug interface could allow a privileged a
|
| 0 |
CVE-2023-31364
Improper handling of direct memory writes in the input-output memory management
|
| 0 |
CVE-2026-2244
A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026
|
| 0 |
CVE-2026-23279
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80
|
| 0 |
CVE-2025-61655
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2025-61657
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 0 |
CVE-2026-1524
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to
|
| 0 |
CVE-2026-32878
### Impact
An attacker can bypass the default request keyword denylist protecti
|
| 0 |
CVE-2026-24095
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0
|
| 0 |
CVE-2026-3862
Cross-site Scripting (XSS) allows an attacker to submit specially crafted data t
|
| 0 |
CVE-2026-27759
Featured Image from Content (featured-image-from-content) WordPress plugin versi
|
| 0 |
CVE-2026-32886
### Impact
Remote clients can crash the Parse Server process by calling a cloud
|
| 0 |
CVE-2026-23037
In the Linux kernel, the following vulnerability has been resolved:
can: etas_e
|
| 0 |
CVE-2026-31887
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insuff
|
| 0 |
CVE-2025-13462
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks t
|
| 0 |
CVE-2026-30916
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.9, an att
|
| 0 |
CVE-2026-33042
### Impact
A user can sign up without providing credentials by sending an empty
|
| 0 |
CVE-2026-1497
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edi
|
| 0 |
CVE-2026-23694
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0
|
| 0 |
CVE-2025-71196
In the Linux kernel, the following vulnerability has been resolved:
phy: stm32-
|
| 0 |
CVE-2026-1770
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter
|
| 0 |
CVE-2026-23033
In the Linux kernel, the following vulnerability has been resolved:
dmaengine:
|
| 0 |
CVE-2026-23058
In the Linux kernel, the following vulnerability has been resolved:
can: ems_us
|
| 0 |
CVE-2026-23056
In the Linux kernel, the following vulnerability has been resolved:
uacce: impl
|
| 0 |
CVE-2026-23049
In the Linux kernel, the following vulnerability has been resolved:
drm/panel-s
|
| 0 |
CVE-2025-9120
Improper Control of Generation of Code ('Code Injection') vulnerability in OpenT
|
| 0 |
CVE-2025-71199
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: a
|
| 0 |
CVE-2026-23101
In the Linux kernel, the following vulnerability has been resolved:
leds: led-c
|
| 0 |
CVE-2026-23925
An authenticated Zabbix user (User role) with template/host write permissions is
|
| 0 |
CVE-2025-71194
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix
|
| 0 |
CVE-2026-23047
In the Linux kernel, the following vulnerability has been resolved:
libceph: ma
|
| 0 |
CVE-2026-2409
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 0 |
CVE-2026-1198
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty
|
| 0 |
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in t
|
| 0 |
CVE-2025-15585
Fileflows versions before 25.05.2 are affected by an authenticated SQL injection
|
| 0 |
CVE-2025-59920
When hours are entered in time@work, version 7.0.5, it performs a query to displ
|
| 0 |
CVE-2025-67484
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associate
|
| 0 |
CVE-2025-71239
In the Linux kernel, the following vulnerability has been resolved:
audit: add
|
| 0 |
CVE-2026-23241
In the Linux kernel, the following vulnerability has been resolved:
audit: add
|
| 0 |
CVE-2026-23182
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra:
|
| 0 |
CVE-2026-23176
In the Linux kernel, the following vulnerability has been resolved:
platform/x8
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 748d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2315d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2128d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1742d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2245d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4993d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1214d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1015d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3770d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 917d |