Total CVEs
16392
last 90 days
Avg Priority
36.8
of max 220
KEV
39
actively exploited
POC
3349
public exploits
Unpatched
4810
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 33 |
CVE-2026-0767
Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerab
|
| 33 |
CVE-2025-70044
An issue pertaining to CWE-295: Improper Certificate Validation was discovered i
|
| 33 |
CVE-2025-69988
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An un
|
| 33 |
CVE-2026-5919
Insufficient validation of untrusted input in WebSockets in Google Chrome prior
|
| 33 |
CVE-2026-3121
A flaw was found in Keycloak. An administrator with `manage-clients` permission
|
| 33 |
CVE-2025-36427
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2025-36424
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2025-65127
A lack of session validation in the web API component of Shenzhen Zhibotong Elec
|
| 33 |
CVE-2026-24687
Umbraco Forms is a form builder that integrates with the Umbraco content managem
|
| 33 |
CVE-2026-32842
Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credenti
|
| 33 |
CVE-2026-23567
An integer underflow in the UDP command handler of the TeamViewer DEX Client (fo
|
| 33 |
CVE-2026-1839
A vulnerability in the HuggingFace Transformers library, specifically in the `Tr
|
| 33 |
CVE-2026-20657
The issue was addressed with improved memory handling. This issue is fixed in iO
|
| 33 |
CVE-2025-8303
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 33 |
CVE-2025-36442
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36366
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a
|
| 33 |
CVE-2025-36009
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an
|
| 33 |
CVE-2025-62853
A path traversal vulnerability has been reported to affect File Station 5. If a
|
| 33 |
CVE-2018-25160
HTTP::Session2 versions through 1.09 for Perl does not validate the format of us
|
| 33 |
CVE-2026-1014
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exp
|
| 33 |
CVE-2026-24053
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash co
|
| 33 |
CVE-2026-28880
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 33 |
CVE-2026-28857
The issue was addressed with improved memory handling. This issue is fixed in Sa
|
| 33 |
CVE-2026-30579
File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user
|
| 33 |
CVE-2026-33283
## Summary
Ella Core panics when processing malformed UL NAS Transport NAS messa
|
| 33 |
CVE-2026-32588
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticate
|
| 33 |
CVE-2026-30480
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) o
|
| 33 |
CVE-2025-36423
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.
|
| 33 |
CVE-2025-36407
IBM® Db2® is vulnerable to a denial of service with a specially crafted query th
|
| 33 |
CVE-2025-36387
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36098
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36070
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-36001
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2025-2668
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 33 |
CVE-2026-30578
File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious use
|
| 33 |
CVE-2026-25344
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 33 |
CVE-2026-25339
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi C
|
| 33 |
CVE-2026-28844
A file access issue was addressed with improved input validation. This issue is
|
| 33 |
CVE-2026-23484
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and pri
|
| 33 |
CVE-2026-21641
HackerOne community member Jad Ghamloush (0xjad) has reported an authorization b
|
| 33 |
CVE-2026-1101
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 33 |
CVE-2026-27754
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographic
|
| 33 |
CVE-2025-61154
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13
|
| 33 |
CVE-2026-25009
Missing Authorization vulnerability in raratheme Education Zone education-zone a
|
| 33 |
CVE-2026-28835
A use-after-free issue was addressed with improved memory management. This issue
|
| 33 |
CVE-2026-3889
Spoofing issue in Thunderbird. This vulnerability affects Thunderbird < 149 and
|
| 33 |
CVE-2026-25469
Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill – W
|
| 33 |
CVE-2026-33141
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Di
|
| 33 |
CVE-2026-30655
SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and ea
|
| 33 |
CVE-2026-24972
Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing
|
| 33 |
CVE-2026-1627
An attacker may exploit the use of outdated and weak MAC algorithms in the devic
|
| 33 |
CVE-2026-25034
Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-ma
|
| 33 |
CVE-2026-32541
Missing Authorization vulnerability in Premmerce Premmerce Redirect Manager prem
|
| 33 |
CVE-2025-68971
In Forgejo through 13.0.3, the attachment component allows a denial of service b
|
| 33 |
CVE-2026-25430
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and C
|
| 33 |
CVE-2026-32527
Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7
|
| 33 |
CVE-2026-25327
Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservati
|
| 33 |
CVE-2026-22485
Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gall
|
| 33 |
CVE-2026-25437
Missing Authorization vulnerability in سید محمدامین هاشمی GZSEO gzseo allows Exp
|
| 33 |
CVE-2025-54170
An out-of-bounds read vulnerability has been reported to affect Qsync Central. I
|
| 33 |
CVE-2025-54152
A use of out-of-range pointer offset vulnerability has been reported to affect Q
|
| 33 |
CVE-2025-12899
A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128
|
| 33 |
CVE-2026-25365
Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-tur
|
| 33 |
CVE-2026-25398
Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor
|
| 33 |
CVE-2026-32533
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint Late
|
| 33 |
CVE-2026-25455
Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerc
|
| 33 |
CVE-2026-24376
Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerab
|
| 33 |
CVE-2026-24987
Missing Authorization vulnerability in activity-log.com WP System Log winterlock
|
| 33 |
CVE-2026-32535
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Hel
|
| 33 |
CVE-2026-24364
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 33 |
CVE-2026-27609
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In ver
|
| 33 |
CVE-2026-25462
Missing Authorization vulnerability in avalex avalex avalex allows Exploiting In
|
| 33 |
CVE-2026-40199
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addres
|
| 33 |
CVE-2026-25390
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-appr
|
| 33 |
CVE-2026-39639
Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-i
|
| 33 |
CVE-2026-32483
Missing Authorization vulnerability in codepeople Contact Form Email contact-for
|
| 33 |
CVE-2026-25454
Missing Authorization vulnerability in MVPThemes The League the-league allows Ex
|
| 33 |
CVE-2026-23972
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager
|
| 33 |
CVE-2026-27046
Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allow
|
| 33 |
CVE-2026-39569
Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-st
|
| 33 |
CVE-2026-24514
A security issue was discovered in ingress-nginx where the validating admission
|
| 33 |
CVE-2026-1626
An attacker may exploit the use of weak CBC-based cipher suites in the device’s
|
| 33 |
CVE-2026-32489
Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploit
|
| 33 |
CVE-2026-32514
Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allo
|
| 33 |
CVE-2026-26929
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does
|
| 33 |
CVE-2026-5881
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allo
|
| 33 |
CVE-2026-3255
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session
|
| 33 |
CVE-2025-56647
npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The dev
|
| 33 |
CVE-2026-34538
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom re
|
| 33 |
CVE-2026-20110
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 735d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2303d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2116d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1730d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2233d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4980d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1201d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1003d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3758d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 905d |