Total CVEs
17716
last 90 days
Avg Priority
34.3
of max 220
KEV
31
actively exploited
POC
2291
public exploits
Unpatched
3560
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
Priority Distribution
| Priority | CVE |
|---|---|
| 69 |
CVE-2025-70237
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70241
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70240
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70239
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2025-70234
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime para
|
| 69 |
CVE-2026-4183
A security vulnerability has been detected in D-Link DIR-816 1.10CNB05. Affected
|
| 69 |
CVE-2026-4184
A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulne
|
| 69 |
CVE-2026-31072
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.1
|
| 69 |
CVE-2026-4182
A weakness has been identified in D-Link DIR-816 1.10CNB05. This impacts an unkn
|
| 69 |
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable u
|
| 69 |
CVE-2026-28408
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the
|
| 69 |
CVE-2025-66678
An issue in the HwRwDrv.sys component of Nil Hardware Editor Hardware Read & Wri
|
| 69 |
CVE-2026-24115
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the
|
| 69 |
CVE-2026-24114
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate `pP
|
| 69 |
CVE-2026-24113
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24111
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24103
A buffer overflow vulnerability was discovered in goform/formSetMacFilterCfg in
|
| 69 |
CVE-2026-24109
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24108
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24112
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit t
|
| 69 |
CVE-2026-24110
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may send over
|
| 69 |
CVE-2026-33032
### Summary
The nginx-ui MCP (Model Context Protocol) integration exposes two HT
|
| 69 |
CVE-2026-21992
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware
|
| 69 |
CVE-2026-32760
## Summary
Any unauthenticated visitor can register a full administrator account
|
| 69 |
CVE-2026-26703
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Inj
|
| 69 |
CVE-2026-26702
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Inj
|
| 69 |
CVE-2026-26696
code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection i
|
| 69 |
CVE-2026-26695
code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection i
|
| 69 |
CVE-2026-26694
code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in
|
| 69 |
CVE-2026-26713
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /f
|
| 69 |
CVE-2026-26712
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /f
|
| 69 |
CVE-2026-26711
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /f
|
| 69 |
CVE-2026-26710
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /f
|
| 69 |
CVE-2026-26709
code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection i
|
| 69 |
CVE-2026-26707
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection
|
| 69 |
CVE-2026-26706
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection
|
| 69 |
CVE-2026-26705
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection
|
| 69 |
CVE-2026-26704
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection
|
| 69 |
CVE-2026-26708
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection
|
| 69 |
CVE-2026-26700
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Inj
|
| 69 |
CVE-2026-26701
sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Inj
|
| 69 |
CVE-2025-70821
renren-secuity before v5.5.0 is vulnerable to SQL Injection in the BaseServiceIm
|
| 69 |
CVE-2025-50192
Chamilo is a learning management system. Prior to version 1.11.30, there is a ti
|
| 69 |
CVE-2025-50190
Chamilo is a learning management system. Prior to version 1.11.30, there is an e
|
| 69 |
CVE-2026-30532
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering Syst
|
| 69 |
CVE-2026-30533
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering Syst
|
| 69 |
CVE-2026-27012
OpenSTAManager is an open source management software for technical assistance an
|
| 69 |
CVE-2026-28802
Authlib is a Python library which builds OAuth and OpenID Connect servers. From
|
| 69 |
CVE-2026-30824
Flowise is a drag & drop user interface to build a customized large language mod
|
| 69 |
CVE-2026-30530
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering Syst
|
| 68 |
CVE-2026-28792
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI d
|
| 68 |
CVE-2026-28495
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) b
|
| 68 |
CVE-2026-25146
OpenEMR is a free and open source electronic health records and medical practice
|
| 68 |
CVE-2025-69969
A lack of authentication and authorization mechanisms in the Bluetooth Low Energ
|
| 68 |
CVE-2026-34205
Home Assistant is open source home automation software that puts local control a
|
| 68 |
CVE-2026-6722
Pre-NVD disclosure via GitHub release 'PHP 8.2.31' (php/php-src). The PHP develo
|
| 68 |
CVE-2026-28446
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and
|
| 67 |
CVE-2026-33696
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.
|
| 67 |
CVE-2026-41922
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-43944
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ft
|
| 67 |
CVE-2026-33660
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.
|
| 67 |
CVE-2026-28517
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injectio
|
| 67 |
CVE-2026-23696
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vul
|
| 67 |
CVE-2026-1678
dns_unpack_name() caches the buffer tailroom once and reuses it while appending
|
| 67 |
CVE-2026-41242
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In vers
|
| 67 |
CVE-2026-33579
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /
|
| 67 |
CVE-2026-41923
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2025-71284
Synway SMG Gateway Management Software contains an OS command injection vulnerab
|
| 67 |
CVE-2025-71275
A critical security vulnerability exists in Zimbra Collaboration Suite (ZCS) Pos
|
| 67 |
CVE-2026-41925
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-41926
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-22679
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthentica
|
| 67 |
CVE-2026-6942
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerabi
|
| 67 |
CVE-2026-35022
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
|
| 67 |
CVE-2026-29014
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injec
|
| 67 |
CVE-2019-25468
NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allo
|
| 67 |
CVE-2026-41924
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command in
|
| 67 |
CVE-2026-23751
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versi
|
| 67 |
CVE-2019-25471
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows at
|
| 67 |
CVE-2019-25487
SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that al
|
| 67 |
CVE-2016-20026
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache To
|
| 67 |
CVE-2026-29000
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication by
|
| 67 |
CVE-2026-44643
Angular Expressions provides expressions for the Angular.JS web framework as a s
|
| 67 |
CVE-2016-20049
JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability
|
| 67 |
CVE-2018-25159
Epross AVCON6 systems management platform contains an object-graph navigation la
|
| 67 |
CVE-2016-20024
ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability th
|
| 67 |
CVE-2016-20030
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows u
|
| 67 |
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows
|
| 67 |
CVE-2017-20223
Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure
|
| 67 |
CVE-2019-25568
Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3798d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |