Total CVEs
16393
last 90 days
Avg Priority
36.8
of max 220
KEV
39
actively exploited
POC
3347
public exploits
Unpatched
4810
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-31841
Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces
|
| 33 |
CVE-2026-32758
## Description
The `resourcePatchHandler` in `http/resource.go` validates the d
|
| 33 |
CVE-2025-32223
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor
|
| 33 |
CVE-2026-34370
Chamilo LMS is an open-source learning management system. In versions prior to 2
|
| 33 |
CVE-2026-6068
NASM contains a heap use after free vulnerability in response file (-@) processi
|
| 33 |
CVE-2026-31883
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0
|
| 33 |
CVE-2026-30843
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 ha
|
| 33 |
CVE-2026-33304
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-2320
Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.
|
| 33 |
CVE-2026-2318
Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0
|
| 33 |
CVE-2026-1458
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 b
|
| 33 |
CVE-2026-1456
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7
|
| 33 |
CVE-2026-1786
The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized mod
|
| 33 |
CVE-2026-33736
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authentica
|
| 33 |
CVE-2026-33708
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info
|
| 33 |
CVE-2026-28557
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allow
|
| 33 |
CVE-2025-41710
An unauthenticated remote attacker may use hardcodes credentials to get access t
|
| 33 |
CVE-2026-39368
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Li
|
| 33 |
CVE-2025-15336
Tanium addressed an incorrect default permissions vulnerability in Performance.
|
| 33 |
CVE-2026-32697
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 33 |
CVE-2026-33676
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 33 |
CVE-2025-40896
The server certificate was not verified when an Arc agent connected to a Guardia
|
| 33 |
CVE-2026-34395
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the pl
|
| 33 |
CVE-2024-50452
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 33 |
CVE-2026-30870
PowerSync Service is the server-side component of the PowerSync sync engine. In
|
| 33 |
CVE-2026-33469
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 33 |
CVE-2026-30886
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 33 |
CVE-2026-33470
Frigate is a network video recorder (NVR) with realtime local object detection f
|
| 33 |
CVE-2026-2503
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection v
|
| 33 |
CVE-2026-2412
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injec
|
| 33 |
CVE-2026-33495
## Description
Ory Oathkeeper is often deployed behind other components like CD
|
| 33 |
CVE-2026-32761
### Summary
A permission enforcement flaw allows users without download privileg
|
| 33 |
CVE-2026-38533
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Sn
|
| 33 |
CVE-2026-24845
malcontent discovers supply-chain compromises through. context, differential ana
|
| 33 |
CVE-2026-34586
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user
|
| 33 |
CVE-2026-5207
The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order
|
| 33 |
CVE-2026-27954
Live Helper Chat is an open-source application that enables live support website
|
| 33 |
CVE-2026-27149
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 33 |
CVE-2026-33931
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-5905
Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.
|
| 33 |
CVE-2026-3098
The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in
|
| 33 |
CVE-2026-33907
## Summary
Ella Core panics when processing Authentication Response and Authent
|
| 33 |
CVE-2026-25834
Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
|
| 33 |
CVE-2026-33730
Open Source Point of Sale (opensourcepos) is a web based point of sale applicati
|
| 33 |
CVE-2026-30239
OpenProject is an open-source, web-based project management software. Prior to 1
|
| 33 |
CVE-2026-25744
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-32818
Admidio is an open-source user management solution. In versions 5.0.0 through 5.
|
| 33 |
CVE-2026-2316
Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.4
|
| 33 |
CVE-2026-1865
The User Registration & Membership - Free & Paid Memberships, Subscriptions, Con
|
| 33 |
CVE-2026-27677
Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Ref
|
| 33 |
CVE-2026-22901
A command injection vulnerability has been reported to affect QuNetSwitch. If a
|
| 33 |
CVE-2026-34036
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensi
|
| 33 |
CVE-2026-39374
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBul
|
| 33 |
CVE-2026-39354
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an
|
| 33 |
CVE-2026-34737
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the St
|
| 33 |
CVE-2026-26320
OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the
|
| 33 |
CVE-2026-26939
Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Managemen
|
| 33 |
CVE-2026-27679
Due to missing authorization checks in the SAP S/4HANA frontend OData Service (M
|
| 33 |
CVE-2026-25937
GLPI is a free Asset and IT management software package. Starting in version 11.
|
| 33 |
CVE-2026-25745
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-27678
Due to missing authorization checks in the SAP S/4HANA backend OData Service (Ma
|
| 33 |
CVE-2025-14799
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulner
|
| 33 |
CVE-2026-28552
Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploita
|
| 33 |
CVE-2025-13778
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev
|
| 33 |
CVE-2026-29597
Incorrect access control in the file_details.asp endpoint of DDSN Interactive Ac
|
| 33 |
CVE-2025-14915
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 33 |
CVE-2025-14790
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attac
|
| 33 |
CVE-2026-32120
OpenEMR is a free and open source electronic health records and medical practice
|
| 33 |
CVE-2026-3590
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.
|
| 33 |
CVE-2026-20690
An out-of-bounds access issue was addressed with improved bounds checking. This
|
| 33 |
CVE-2026-28878
A privacy issue was addressed by removing sensitive data. This issue is fixed in
|
| 33 |
CVE-2026-3214
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 33 |
CVE-2026-34788
Emlog is an open source website building system. In versions 2.6.2 and prior, a
|
| 33 |
CVE-2026-34779
### Impact
On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallba
|
| 33 |
CVE-2026-3531
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 33 |
CVE-2025-69653
A crafted JavaScript input can trigger an internal assertion failure in QuickJS
|
| 33 |
CVE-2025-41763
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi en
|
| 33 |
CVE-2026-20404
In Modem, there is a possible system crash due to improper input validation. Thi
|
| 33 |
CVE-2026-34261
Due to a missing authorization check in SAP Business Analytics and SAP Content M
|
| 33 |
CVE-2026-34740
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EP
|
| 33 |
CVE-2026-35173
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR /
|
| 33 |
CVE-2026-1697
The Secure and SameSite attribute are missing in the GraphicalData web services
|
| 33 |
CVE-2026-30955
### Summary
An API endpoint accepts unbounded request bodies without any size l
|
| 33 |
CVE-2026-20083
A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE
|
| 33 |
CVE-2025-7375
A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An a
|
| 33 |
CVE-2026-3527
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashbo
|
| 33 |
CVE-2026-20042
A vulnerability in the configuration backup feature of Cisco Nexus Dashboard cou
|
| 33 |
CVE-2025-69988
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An un
|
| 33 |
CVE-2025-70044
An issue pertaining to CWE-295: Improper Certificate Validation was discovered i
|
| 33 |
CVE-2026-22274
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |