Total CVEs
16312
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3551
public exploits
Unpatched
5448
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 30 |
CVE-2026-5462
A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android
|
| 30 |
CVE-2026-5453
A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.3
|
| 30 |
CVE-2026-5455
A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affec
|
| 23 |
CVE-2025-27769
A vulnerability has been identified in Heliox Flex 180 kW EV Charging Station (A
|
| 20 |
CVE-2026-3633
A flaw was found in libsoup. A remote attacker, by controlling the method parame
|
| 20 |
CVE-2026-3632
A flaw was found in libsoup, a library used by applications to send network requ
|
| 20 |
CVE-2026-3634
A flaw was found in libsoup. An attacker controlling the value used to set the C
|
| 20 |
CVE-2025-66038
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.
|
| 20 |
CVE-2026-34768
### Impact
On Windows, `app.setLoginItemSettings({openAtLogin: true})` wrote the
|
| 20 |
CVE-2025-66037
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.
|
| 20 |
CVE-2025-31648
Improper handling of values in the microcode flow for some Intel(R) Processor Fa
|
| 19 |
CVE-2026-3470
A vulnerability exists in the SonicWall Email Security appliance due to improper
|
| 19 |
CVE-2026-2733
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, wher
|
| 19 |
CVE-2026-4044
A vulnerability was detected in projectsend up to r1945. This affects the functi
|
| 19 |
CVE-2026-25423
Missing Authorization vulnerability in creativeinteractivemedia Real 3D FlipBook
|
| 19 |
CVE-2026-0504
Due to insufficient input handling, the SAP Identity Management REST interface a
|
| 19 |
CVE-2025-36183
IBM watsonx.data 2.2 through 2.2.1 IBM Lakehouse could allow a privileged user t
|
| 19 |
CVE-2026-27150
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 19 |
CVE-2025-67685
A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fo
|
| 19 |
CVE-2026-27152
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 19 |
CVE-2025-14573
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when u
|
| 19 |
CVE-2026-2290
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request
|
| 19 |
CVE-2026-26230
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission req
|
| 19 |
CVE-2026-32715
AnythingLLM is an application that turns pieces of content into context that any
|
| 19 |
CVE-2025-49010
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.
|
| 19 |
CVE-2025-66215
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.
|
| 19 |
CVE-2026-0849
Malformed ATAES132A responses with an oversized length field overflow a 52-byte
|
| 19 |
CVE-2026-22919
An attacker with administrative access may inject malicious content into the log
|
| 19 |
CVE-2025-67860
A vulnerability has been identified in the NeuVector scanner where the scanner p
|
| 19 |
CVE-2025-22873
It was possible to improperly access the parent directory of an os.Root by openi
|
| 19 |
CVE-2026-24733
Improper Input Validation vulnerability in Apache Tomcat.
Tomcat did not limit
|
| 19 |
CVE-2026-22877
An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1
and prio
|
| 19 |
CVE-2026-1685
A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability aff
|
| 19 |
CVE-2025-11143
The Jetty URI parser has some key differences to other common parsers when evalu
|
| 19 |
CVE-2026-1582
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Ex
|
| 19 |
CVE-2026-3184
A flaw was found in util-linux. Improper hostname canonicalization in the `login
|
| 19 |
CVE-2025-14457
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress i
|
| 19 |
CVE-2026-26227
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypas
|
| 19 |
CVE-2026-23996
FastAPI Api Key provides a backend-agnostic library that provides an API key sys
|
| 19 |
CVE-2026-0988
A flaw was found in glib. Missing validation of offset and count parameters in t
|
| 19 |
CVE-2026-22261
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.1
|
| 19 |
CVE-2026-0633
The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor pl
|
| 19 |
CVE-2026-23747
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, co
|
| 19 |
CVE-2026-22204
wpDiscuz before 7.6.47 contains an email header injection vulnerability that all
|
| 19 |
CVE-2026-30848
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 19 |
CVE-2026-22885
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and
prior, w
|
| 19 |
CVE-2026-23522
LobeChat is an open source chat application platform. Prior to version 2.0.0-nex
|
| 19 |
CVE-2026-27860
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter
|
| 19 |
CVE-2025-52623
HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password
|
| 19 |
CVE-2026-23748
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, c
|
| 19 |
CVE-2026-22629
An improper restriction of excessive authentication attempts vulnerability in Fo
|
| 19 |
CVE-2026-24661
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the
|
| 19 |
CVE-2026-24870
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixra
|
| 19 |
CVE-2026-21388
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {
|
| 19 |
CVE-2025-52631
HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HS
|
| 19 |
CVE-2026-2215
A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue
|
| 19 |
CVE-2025-71264
Mumble before 1.6.870 is prone to an out-of-bounds array access, which may resul
|
| 19 |
CVE-2026-34166
## Summary
The `replace` filter in LiquidJS incorrectly accounts for memory usa
|
| 19 |
CVE-2026-4633
A flaw was found in Keycloak. A remote attacker can exploit differential error m
|
| 19 |
CVE-2026-24656
Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.
The
|
| 19 |
CVE-2026-32595
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below,
|
| 19 |
CVE-2026-25674
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4
|
| 19 |
CVE-2026-35448
## Summary
The BlockonomicsYPT plugin's `check.php` endpoint returns payment or
|
| 19 |
CVE-2025-52629
HCL AION is susceptible to Missing Content-Security-Policy.
An The absence of
|
| 19 |
CVE-2026-35537
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe de
|
| 19 |
CVE-2026-3963
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This
|
| 19 |
CVE-2026-33490
## Summary
The `mount()` method in h3 uses a simple `startsWith()` check to det
|
| 19 |
CVE-2026-4045
A flaw has been found in projectsend up to r1945. This impacts an unknown functi
|
| 19 |
CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 19 |
CVE-2025-15603
A security vulnerability has been detected in open-webui up to 0.6.16. Affected
|
| 19 |
CVE-2025-62328
HCL Nomad server on Domino did not configure the frame-ancestors directive in th
|
| 19 |
CVE-2025-67806
The login mechanism of Sage DPW 2021_06_004 displays distinct responses for vali
|
| 19 |
CVE-2026-31991
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerabili
|
| 19 |
CVE-2026-33070
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to
|
| 19 |
CVE-2026-32109
Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been g
|
| 19 |
CVE-2025-15323
Tanium addressed an improper certificate validation vulnerability in Tanium Appl
|
| 19 |
CVE-2025-53869
Multiple MFPs provided by Brother Industries, Ltd. does not properly validate se
|
| 19 |
CVE-2026-32293
The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to prov
|
| 19 |
CVE-2026-0989
A flaw was identified in the RelaxNG parser of libxml2 related to how external s
|
| 19 |
CVE-2026-22920
The device's passwords have not been adequately salted, making them vulnerable t
|
| 19 |
CVE-2026-4587
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some un
|
| 19 |
CVE-2025-13718
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 thro
|
| 19 |
CVE-2025-14592
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6
|
| 19 |
CVE-2026-25224
Fastify is a fast and low overhead web framework, for Node.js. Prior to version
|
| 19 |
CVE-2026-26013
LangChain is a framework for building agents and LLM-powered applications. Prior
|
| 19 |
CVE-2026-4363
GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 bef
|
| 19 |
CVE-2026-24883
In GnuPG before 2.5.17, a long signature packet length causes parse_signature to
|
| 19 |
CVE-2026-0976
A flaw was found in Keycloak. This improper input validation vulnerability occur
|
| 19 |
CVE-2026-3706
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the fu
|
| 19 |
CVE-2026-24934
The DDNS function uses an insecure HTTP connection or fails to validate the SSL/
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |