Total CVEs
17702
last 90 days
Avg Priority
34.4
of max 220
KEV
31
actively exploited
POC
2284
public exploits
Unpatched
3558
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
136
CVE-2026-0300
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service o
133
CVE-2026-41940
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, an
131
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows
131
CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Ex
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
127
CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that w
126
CVE-2026-41091
Improper link resolution before file access ('link following') in Microsoft Defender allows an autho
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
120
CVE-2026-48172
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exp
Priority Distribution
| Priority | CVE |
|---|---|
| 64 |
CVE-2026-43284
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp:
|
| 64 |
CVE-2026-33665
n8n is an open source workflow automation platform. Prior to versions 2.4.0 and
|
| 64 |
CVE-2026-30529
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering Syst
|
| 64 |
CVE-2026-29174
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Com
|
| 64 |
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnera
|
| 64 |
CVE-2019-25465
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that all
|
| 64 |
CVE-2025-60947
Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacke
|
| 64 |
CVE-2017-20222
Telesquare SKT LTE Router SDT-CS3B1 software version 1.2.0 contains an unauthent
|
| 64 |
CVE-2017-20220
Serviio PRO 1.8 contains an improper access control vulnerability in the Configu
|
| 64 |
CVE-2018-25169
AMPPS 2.7 contains a denial of service vulnerability that allows remote attacker
|
| 64 |
CVE-2019-25480
ARMBot contains an unrestricted file upload vulnerability in upload.php that all
|
| 64 |
CVE-2018-25193
Mongoose Web Server 6.9 contains a denial of service vulnerability that allows r
|
| 64 |
CVE-2025-60946
Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated att
|
| 64 |
CVE-2026-25075
strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerabil
|
| 64 |
CVE-2026-44499
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a compos
|
| 64 |
CVE-2017-20217
Serviio PRO 1.8 contains an information disclosure vulnerability due to improper
|
| 64 |
CVE-2026-32834
Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contai
|
| 64 |
CVE-2019-25478
GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that
|
| 64 |
CVE-2018-25164
EverSync 0.5 contains an arbitrary file download vulnerability that allows unaut
|
| 64 |
CVE-2019-25470
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerabili
|
| 64 |
CVE-2026-32846
OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal v
|
| 64 |
CVE-2016-20025
ZKTeco ZKAccess Professional 3.5.3 contains an insecure file permissions vulnera
|
| 64 |
CVE-2026-32640
### Impact
If the objects passed in as `names` to SimpleEval have modules or oth
|
| 64 |
CVE-2013-20006
Qool CMS contains multiple persistent cross-site scripting vulnerabilities in se
|
| 64 |
CVE-2026-40192
### Impact
Pillow did not limit the amount of GZIP-compressed data read when dec
|
| 64 |
CVE-2019-25560
Lyric Video Creator 2.1 contains a denial of service vulnerability that allows a
|
| 64 |
CVE-2026-26022
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a store
|
| 64 |
CVE-2026-29514
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerabilit
|
| 64 |
CVE-2026-33713
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.
|
| 64 |
CVE-2026-34965
Cockpit CMS contains an authenticated remote code execution vulnerability in the
|
| 64 |
CVE-2026-32847
DeepCode through commit c991dc2 contains a path traversal vulnerability in the S
|
| 64 |
CVE-2026-41463
ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerabi
|
| 64 |
CVE-2026-43634
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that
|
| 63 |
CVE-2026-33116
Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework,
|
| 63 |
CVE-2026-22666
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code e
|
| 63 |
CVE-2026-26171
Uncontrolled resource consumption in .NET allows an unauthorized attacker to den
|
| 63 |
CVE-2026-35020
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
|
| 63 |
CVE-2026-28679
Home-Gallery.org is a self-hosted open-source web gallery to browse personal pho
|
| 63 |
CVE-2026-43640
Bitwarden Server prior to v2026.4.1 does not require master-password re-authenti
|
| 63 |
CVE-2026-32989
Precurio Intranet Portal 4.4 contains a cross-site request forgery (CSRF) weakne
|
| 63 |
CVE-2026-3830
The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not
|
| 63 |
CVE-2026-4935
The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does
|
| 63 |
CVE-2026-6379
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly san
|
| 63 |
CVE-2026-32635
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular ru
|
| 63 |
CVE-2026-29002
CouchCMS contains a privilege escalation vulnerability that allows authenticated
|
| 63 |
CVE-2019-25466
Easy File Sharing Web Server 7.2 contains a local structured exception handling
|
| 63 |
CVE-2019-25607
Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file
|
| 63 |
CVE-2019-25603
TuneClone 2.20 contains a structured exception handler (SEH) buffer overflow vul
|
| 63 |
CVE-2019-25483
Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell e
|
| 63 |
CVE-2019-25609
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability
|
| 63 |
CVE-2019-25604
DVDXPlayer Pro 5.5 contains a local buffer overflow vulnerability with structure
|
| 63 |
CVE-2019-25615
Lavavo CD Ripper 4.20 contains a structured exception handling (SEH) buffer over
|
| 63 |
CVE-2019-25626
River Past Cam Do 3.7.6 contains a local buffer overflow vulnerability in the ac
|
| 63 |
CVE-2019-25611
MiniFtp contains a buffer overflow vulnerability in the parseconf_load_setting f
|
| 63 |
CVE-2019-25608
Iperius Backup 6.1.0 contains a privilege escalation vulnerability that allows l
|
| 63 |
CVE-2019-25467
Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflo
|
| 63 |
CVE-2026-30920
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 63 |
CVE-2026-47114
IINA before 1.4.3 contains a user-assisted command execution vulnerability that
|
| 63 |
CVE-2026-7862
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not proper
|
| 63 |
CVE-2026-31817
OliveTin gives access to predefined shell commands from a web interface. Prior t
|
| 63 |
CVE-2026-28286
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 syst
|
| 63 |
CVE-2026-32246
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC
|
| 63 |
CVE-2026-28442
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 syst
|
| 63 |
CVE-2026-42899
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an
|
| 63 |
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passk
|
| 63 |
CVE-2026-34885
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 63 |
CVE-2026-33663
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.
|
| 63 |
CVE-2026-6204
LibreNMS versions before 26.3.0 are affected by an authenticated remote code exe
|
| 63 |
CVE-2026-28529
cryptodev-linux version 1.14 and prior contain a page reference handling flaw in
|
| 63 |
CVE-2019-25612
Admin Express 1.2.5.485 contains a local structured exception handling buffer ov
|
| 63 |
CVE-2017-20218
Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows se
|
| 63 |
CVE-2026-28513
Pocket ID is an OIDC provider that allows users to authenticate with their passk
|
| 62 |
CVE-2026-40499
radare2 prior to version 6.1.4 contains a command injection vulnerability in the
|
| 62 |
CVE-2026-35021
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection v
|
| 62 |
CVE-2026-40517
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB par
|
| 62 |
CVE-2026-28793
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI de
|
| 62 |
CVE-2026-41640
## Summary
The `queryParentSQL()` function in the core database package constru
|
| 62 |
CVE-2026-35433
Improper input validation in .NET allows an unauthorized attacker to elevate pri
|
| 62 |
CVE-2026-32177
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate pr
|
| 62 |
CVE-2025-52482
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS
|
| 62 |
CVE-2026-41927
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based bu
|
| 62 |
CVE-2026-45369
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitut
|
| 62 |
CVE-2026-30534
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering Syst
|
| 61 |
CVE-2019-25506
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the
|
| 61 |
CVE-2019-25499
Simple Job Script contains an SQL injection vulnerability that allows unauthenti
|
| 61 |
CVE-2019-25498
Simple Job Script contains an SQL injection vulnerability that allows unauthenti
|
| 61 |
CVE-2018-25199
OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticat
|
| 61 |
CVE-2019-25525
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability th
|
| 61 |
CVE-2019-25542
Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that a
|
| 61 |
CVE-2019-25543
Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 776d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2344d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2157d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1771d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2274d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 5021d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1242d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1044d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3799d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 946d |