Total CVEs
16324
last 90 days
Avg Priority
36.7
of max 220
KEV
38
actively exploited
POC
3434
public exploits
Unpatched
5391
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 56 |
CVE-2021-47842
StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allo
|
| 56 |
CVE-2021-47840
Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that all
|
| 56 |
CVE-2021-47839
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows
|
| 56 |
CVE-2021-47838
Markright 1.0 contains a persistent cross-site scripting vulnerability that allo
|
| 56 |
CVE-2021-47837
Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that
|
| 56 |
CVE-2021-47835
Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allo
|
| 56 |
CVE-2021-47857
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the ca
|
| 56 |
CVE-2020-37072
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comm
|
| 56 |
CVE-2026-27178
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XS
|
| 56 |
CVE-2019-25405
Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability
|
| 56 |
CVE-2025-63910
An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migrat
|
| 56 |
CVE-2019-25422
Comodo Dome Firewall 2.7.0 contains cross-site scripting vulnerabilities that al
|
| 56 |
CVE-2019-25379
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cr
|
| 56 |
CVE-2026-26892
Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL
|
| 56 |
CVE-2015-20115
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads,
|
| 56 |
CVE-2025-63909
Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity
|
| 56 |
CVE-2026-27177
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XS
|
| 56 |
CVE-2026-1540
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows loggin
|
| 56 |
CVE-2019-25394
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-s
|
| 56 |
CVE-2019-25395
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-s
|
| 56 |
CVE-2026-23723
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authentic
|
| 56 |
CVE-2026-24403
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-24411
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-24407
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-24410
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-24409
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-24404
iccDEV provides libraries and tools for interacting with, manipulating, and appl
|
| 56 |
CVE-2026-25927
OpenEMR is a free and open source electronic health records and medical practice
|
| 56 |
CVE-2026-25147
OpenEMR is a free and open source electronic health records and medical practice
|
| 56 |
CVE-2018-25162
2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows au
|
| 56 |
CVE-2019-25503
PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated a
|
| 56 |
CVE-2026-24835
Podman Desktop is a graphical tool for developing on containers and Kubernetes.
|
| 56 |
CVE-2026-23986
Copier is a library and CLI app for rendering project templates. Prior to versio
|
| 56 |
CVE-2020-37112
GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allo
|
| 56 |
CVE-2026-25503
iccDEV provides a set of libraries and tools that allow for the interaction, man
|
| 56 |
CVE-2020-37108
PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' param
|
| 56 |
CVE-2026-31829
Flowise is a drag & drop user interface to build a customized large language mod
|
| 56 |
CVE-2026-26721
An issue in Key Systems Inc Global Facilities Management Software v.20230721a al
|
| 56 |
CVE-2026-29778
pyLoad is a free and open-source download manager written in Python. From versio
|
| 56 |
CVE-2026-5741
A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The i
|
| 56 |
CVE-2026-5012
A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the func
|
| 56 |
CVE-2025-64427
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 syst
|
| 56 |
CVE-2026-24902
TrustTunnel is an open-source VPN protocol with a server-side request forgery an
|
| 56 |
CVE-2021-47872
SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in
|
| 56 |
CVE-2025-52469
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulne
|
| 56 |
CVE-2020-37005
TimeClock Software 1.01 contains an authenticated time-based SQL injection vulne
|
| 56 |
CVE-2020-37105
PMB 5.6 contains a SQL injection vulnerability in the administration download sc
|
| 56 |
CVE-2025-66680
An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.
|
| 56 |
CVE-2019-25303
TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability tha
|
| 56 |
CVE-2019-25299
RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCus
|
| 56 |
CVE-2019-25300
thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows att
|
| 56 |
CVE-2020-37081
Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabil
|
| 56 |
CVE-2026-27638
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi
|
| 56 |
CVE-2018-25180
Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated a
|
| 56 |
CVE-2018-25191
Facturation System 1.0 contains an SQL injection vulnerability that allows authe
|
| 56 |
CVE-2018-25165
Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows a
|
| 56 |
CVE-2019-25505
Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated a
|
| 56 |
CVE-2026-22249
Docmost is an open-source collaborative wiki and documentation software. From 0.
|
| 56 |
CVE-2025-68930
Versions of the Traccar open-source GPS tracking system up to and including 6.11
|
| 56 |
CVE-2019-25473
Clinic Pro contains a SQL injection vulnerability that allows authenticated atta
|
| 56 |
CVE-2019-25529
Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authe
|
| 56 |
CVE-2020-37154
eLection 2.0 contains an authenticated SQL injection vulnerability in the candid
|
| 56 |
CVE-2026-25126
PolarLearn is a free and open-source learning program. Prior to version 0-PREREL
|
| 56 |
CVE-2026-24060
Service information is not encrypted when transmitted as BACnet packets
over th
|
| 56 |
CVE-2026-24779
vLLM is an inference and serving engine for large language models (LLMs). Prior
|
| 56 |
CVE-2020-36947
LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC a
|
| 56 |
CVE-2026-26960
node-tar is a full-featured Tar for Node.js. When using default options in versi
|
| 56 |
CVE-2026-27692
iccDEV provides a set of libraries and tools for working with ICC color manageme
|
| 56 |
CVE-2020-37053
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that al
|
| 56 |
CVE-2026-28512
Pocket ID is an OIDC provider that allows users to authenticate with their passk
|
| 56 |
CVE-2020-37147
ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion p
|
| 56 |
CVE-2026-24049
wheel is a command line tool for manipulating Python wheel files, as defined in
|
| 56 |
CVE-2026-27967
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.22
|
| 56 |
CVE-2026-2103
Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored c
|
| 56 |
CVE-2025-36911
In key-based pairing, there is a possible ID due to a logic error in the code. T
|
| 56 |
CVE-2026-0810
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function ca
|
| 55 |
CVE-2026-6130
A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the functi
|
| 55 |
CVE-2026-5973
A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is t
|
| 55 |
CVE-2026-5972
A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This iss
|
| 55 |
CVE-2026-5333
A security flaw has been discovered in DefaultFuction Content-Management-System
|
| 55 |
CVE-2026-4499
A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the functio
|
| 55 |
CVE-2026-2256
A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 an
|
| 55 |
CVE-2026-34156
`##` Summary
NocoBase's Workflow Script Node executes user-supplied JavaScript
|
| 55 |
CVE-2026-6129
A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4.
|
| 55 |
CVE-2026-5258
A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _ge
|
| 55 |
CVE-2026-5841
A weakness has been identified in Tenda i3 1.0.0.6(2204). The affected element i
|
| 55 |
CVE-2026-5849
A vulnerability was determined in Tenda i12 1.0.0.11(3862). The impacted element
|
| 55 |
CVE-2026-5570
A vulnerability was determined in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30.
|
| 55 |
CVE-2026-5320
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vul
|
| 55 |
CVE-2026-4998
A weakness has been identified in Sinaptik AI PandasAI up to 3.0.0. This vulnera
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 733d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2301d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2114d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1727d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2231d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4978d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1199d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1000d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3755d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 902d |