Total CVEs
16278
last 90 days
Avg Priority
36.7
of max 220
KEV
39
actively exploited
POC
3350
public exploits
Unpatched
4768
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-22353
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-22347
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-32081
Exposure of sensitive information to an unauthorized actor in Windows File Explo
|
| 33 |
CVE-2026-32085
Exposure of sensitive information to an unauthorized actor in Windows Remote Pro
|
| 33 |
CVE-2026-33459
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of serv
|
| 33 |
CVE-2026-24439
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) f
|
| 33 |
CVE-2025-68046
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 33 |
CVE-2025-68006
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Boo
|
| 33 |
CVE-2025-67954
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 33 |
CVE-2026-33541
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Sa
|
| 33 |
CVE-2026-0622
Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the enviro
|
| 33 |
CVE-2026-24944
Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Explo
|
| 33 |
CVE-2026-3138
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to
|
| 33 |
CVE-2025-65017
Decidim is a participatory democracy framework. In versions from 0.30.0 to befor
|
| 33 |
CVE-2025-41754
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.c
|
| 33 |
CVE-2026-4004
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execu
|
| 33 |
CVE-2026-27397
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple
|
| 33 |
CVE-2026-23964
Mastodon is a free, open-source social network server based on ActivityPub. Prio
|
| 33 |
CVE-2026-1671
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorize
|
| 33 |
CVE-2026-20636
The issue was addressed with improved memory handling. This issue is fixed in iO
|
| 33 |
CVE-2026-2845
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 be
|
| 33 |
CVE-2025-27555
Airflow versions before 2.11.1 have a vulnerability that allows authenticated us
|
| 33 |
CVE-2025-62854
An uncontrolled resource consumption vulnerability has been reported to affect F
|
| 33 |
CVE-2025-57708
An allocation of resources without limits or throttling vulnerability has been r
|
| 33 |
CVE-2025-54148
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-54146
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-54147
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2025-53598
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 33 |
CVE-2026-1387
GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 bef
|
| 33 |
CVE-2025-69218
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0,
|
| 33 |
CVE-2026-25729
DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and
|
| 33 |
CVE-2026-1504
Inappropriate implementation in Background Fetch API in Google Chrome prior to 1
|
| 33 |
CVE-2025-69315
Missing Authorization vulnerability in NSquared Simply Schedule Appointments sim
|
| 33 |
CVE-2025-69095
Missing Authorization vulnerability in designthemes Reservation Plugin dt-reserv
|
| 33 |
CVE-2025-68507
Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting
|
| 33 |
CVE-2026-33428
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 33 |
CVE-2025-68072
Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-
|
| 33 |
CVE-2025-68039
Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup all
|
| 33 |
CVE-2025-68020
Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exp
|
| 33 |
CVE-2025-68016
Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway F
|
| 33 |
CVE-2026-32108
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permi
|
| 33 |
CVE-2025-68009
Missing Authorization vulnerability in Codeless Slider Templates slider-template
|
| 33 |
CVE-2026-34531
## Summary
In a situation where the client makes a request to a token protected
|
| 33 |
CVE-2025-68007
Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf eve
|
| 33 |
CVE-2026-1781
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing
|
| 33 |
CVE-2025-68003
Missing Authorization vulnerability in renatoatshown Shown Connector shown-conne
|
| 33 |
CVE-2025-67942
Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-p
|
| 33 |
CVE-2026-22191
wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows
|
| 33 |
CVE-2025-12773
A vulnerability in update-reports-purge-settings.sh script logging for Brocade S
|
| 33 |
CVE-2026-5025
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticat
|
| 33 |
CVE-2024-43766
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communi
|
| 33 |
CVE-2026-23984
An Improper Input Validation vulnerability exists in Apache Superset that allows
|
| 33 |
CVE-2026-2303
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authe
|
| 33 |
CVE-2026-2369
A flaw was found in libsoup. An integer underflow vulnerability occurs when proc
|
| 33 |
CVE-2026-21865
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-22922
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that c
|
| 33 |
CVE-2026-24401
Avahi is a system which facilitates service discovery on a local network via the
|
| 33 |
CVE-2026-28480
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerabili
|
| 33 |
CVE-2026-24957
Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testi
|
| 33 |
CVE-2025-13867
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through
|
| 33 |
CVE-2026-2452
Emails sent by pretix can utilize placeholders that will be filled with customer
|
| 33 |
CVE-2026-24616
Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Ex
|
| 33 |
CVE-2026-1651
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to S
|
| 33 |
CVE-2025-15574
When connecting to the Solax Cloud MQTT server the username is the "registration
|
| 33 |
CVE-2026-24585
Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polyla
|
| 33 |
CVE-2026-29195
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update
|
| 33 |
CVE-2026-24566
Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Explo
|
| 33 |
CVE-2026-26004
Sentry is a developer-first error tracking and performance monitoring tool. Vers
|
| 33 |
CVE-2026-3131
Improper
access control in multiple DVLS REST API endpoints in Devolutions
Ser
|
| 33 |
CVE-2026-24742
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-24098
Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticat
|
| 33 |
CVE-2026-1292
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 33 |
CVE-2026-29081
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and
|
| 33 |
CVE-2026-2350
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 33 |
CVE-2025-68073
Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support n
|
| 33 |
CVE-2026-34500
CLIENT_CERT authentication does not fail as expected for some scenarios when sof
|
| 33 |
CVE-2025-68013
Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authoriz
|
| 33 |
CVE-2025-67939
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-s
|
| 33 |
CVE-2026-23487
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there
|
| 33 |
CVE-2026-26361
Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of
|
| 33 |
CVE-2026-25936
GLPI is a free Asset and IT management software package. Starting in version 11.
|
| 33 |
CVE-2026-5876
Side-channel information leakage in Navigation in Google Chrome prior to 147.0.7
|
| 33 |
CVE-2026-25963
Fleet is open source device management software. In versions prior to 4.80.1, a
|
| 33 |
CVE-2026-23545
Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hi
|
| 33 |
CVE-2025-68666
Discourse is an open source discussion platform. In versions prior to 3.5.4, 202
|
| 33 |
CVE-2026-5283
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 a
|
| 33 |
CVE-2026-27022
@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implemen
|
| 33 |
CVE-2026-6364
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a re
|
| 33 |
CVE-2026-27362
Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addo
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3757d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |