Total CVEs
16312
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3551
public exploits
Unpatched
5448
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 53 |
CVE-2020-37115
GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administra
|
| 53 |
CVE-2023-54328
AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability i
|
| 53 |
CVE-2026-30233
OliveTin gives access to predefined shell commands from a web interface. Prior t
|
| 53 |
CVE-2026-23851
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contai
|
| 53 |
CVE-2025-70095
A cross-site scripting (XSS) vulnerability in the item management and sales invo
|
| 53 |
CVE-2026-27015
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 53 |
CVE-2025-70091
A cross-site scripting (XSS) vulnerability in the Customers function of OpenSour
|
| 53 |
CVE-2025-68135
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ except
|
| 53 |
CVE-2026-28412
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `Director
|
| 53 |
CVE-2026-32245
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC
|
| 53 |
CVE-2026-28781
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-bet
|
| 53 |
CVE-2026-24670
The Open eClass platform (formerly known as GUnet eClass) is a complete course m
|
| 53 |
CVE-2026-24666
The Open eClass platform (formerly known as GUnet eClass) is a complete course m
|
| 53 |
CVE-2026-32053
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook e
|
| 53 |
CVE-2026-28492
File Browser provides a file managing interface within a specified directory and
|
| 53 |
CVE-2025-70094
A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function
|
| 53 |
CVE-2026-24668
The Open eClass platform (formerly known as GUnet eClass) is a complete course m
|
| 53 |
CVE-2026-25124
OpenEMR is a free and open source electronic health records and medical practice
|
| 53 |
CVE-2026-28217
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.
|
| 53 |
CVE-2025-13436
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7
|
| 53 |
CVE-2026-27611
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to ver
|
| 53 |
CVE-2025-67082
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified
|
| 53 |
CVE-2025-70063
The 'Medical History' module in PHPGurukul Hospital Management System v4.0 conta
|
| 53 |
CVE-2026-28685
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51
|
| 53 |
CVE-2026-25229
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a
|
| 53 |
CVE-2026-24896
OpenEMR is a free and open source electronic health records and medical practice
|
| 53 |
CVE-2026-25877
Chartbrew is an open-source web application that can connect directly to databas
|
| 53 |
CVE-2026-24419
OpenSTAManager is an open source management software for technical assistance an
|
| 53 |
CVE-2026-22218
Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in
|
| 53 |
CVE-2025-54373
OpenEMR is a free and open source electronic health records and medical practice
|
| 53 |
CVE-2026-3784
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
se
|
| 53 |
CVE-2025-65784
Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allo
|
| 53 |
CVE-2026-32704
### Summary
`POST /api/template/renderSprig` lacks `model.CheckAdminRole`, allow
|
| 53 |
CVE-2026-3695
A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. I
|
| 53 |
CVE-2026-27129
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.1
|
| 53 |
CVE-2026-28226
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to
|
| 53 |
CVE-2025-15488
The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary sh
|
| 53 |
CVE-2021-47754
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows att
|
| 53 |
CVE-2025-70899
PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSR
|
| 53 |
CVE-2025-32393
AutoGPT is a platform that allows users to create, deploy, and manage continuous
|
| 53 |
CVE-2026-4432
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly v
|
| 53 |
CVE-2025-71006
A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.
|
| 53 |
CVE-2025-61728
archive/zip uses a super-linear file name indexing algorithm that is invoked the
|
| 53 |
CVE-2025-70299
A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows att
|
| 53 |
CVE-2026-4079
The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape use
|
| 53 |
CVE-2025-71001
A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 al
|
| 53 |
CVE-2019-25436
Sricam DeviceViewer 3.12.0.1 contains a password change security bypass vulnerab
|
| 53 |
CVE-2026-26006
AutoGPT is a platform that allows users to create, deploy, and manage continuous
|
| 53 |
CVE-2025-70062
PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery
|
| 53 |
CVE-2026-30521
A Business Logic vulnerability exists in SourceCodester Loan Management System v
|
| 53 |
CVE-2026-25760
Sliver is a command and control framework that uses a custom Wireguard netstack.
|
| 53 |
CVE-2025-13078
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10
|
| 53 |
CVE-2026-23952
ImageMagick is free and open-source software used for editing and manipulating d
|
| 53 |
CVE-2026-24133
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control
|
| 53 |
CVE-2026-1900
The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible RE
|
| 53 |
CVE-2026-27589
Caddy is an extensible server platform that uses TLS by default. Prior to versio
|
| 53 |
CVE-2026-23888
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerabil
|
| 53 |
CVE-2025-13671
Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management
|
| 53 |
CVE-2026-32054
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability i
|
| 53 |
CVE-2025-68671
lakeFS is an open-source tool that transforms object storage into a Git-like rep
|
| 53 |
CVE-2026-23890
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerabil
|
| 53 |
CVE-2026-23889
pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerabil
|
| 53 |
CVE-2026-28490
## 1. Executive Summary
A cryptographic padding oracle vulnerability was identi
|
| 53 |
CVE-2026-25480
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to
|
| 53 |
CVE-2026-27734
Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authe
|
| 53 |
CVE-2025-70997
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerabili
|
| 53 |
CVE-2026-24420
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow
|
| 53 |
CVE-2026-24056
pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:
|
| 53 |
CVE-2026-24421
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have f
|
| 53 |
CVE-2026-25479
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to
|
| 53 |
CVE-2026-24417
OpenSTAManager is an open source management software for technical assistance an
|
| 53 |
CVE-2026-24416
OpenSTAManager is an open source management software for technical assistance an
|
| 53 |
CVE-2026-25494
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-R
|
| 53 |
CVE-2025-69216
OpenSTAManager is an open source management software for technical assistance an
|
| 53 |
CVE-2026-25493
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC
|
| 53 |
CVE-2026-25492
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.1
|
| 53 |
CVE-2026-24418
OpenSTAManager is an open source management software for technical assistance an
|
| 53 |
CVE-2022-50894
VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows
|
| 53 |
CVE-2026-28354
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #
|
| 53 |
CVE-2026-24488
OpenEMR is a free and open source electronic health records and medical practice
|
| 53 |
CVE-2026-32043
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnera
|
| 52 |
CVE-2026-30522
A Business Logic vulnerability exists in SourceCodester Loan Management System v
|
| 52 |
CVE-2026-4228
A vulnerability was detected in LB-LINK BL-WR9000 2.4.9. This affects the functi
|
| 52 |
CVE-2020-37086
Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerab
|
| 52 |
CVE-2026-1548
A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function C
|
| 52 |
CVE-2026-1547
A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the fun
|
| 52 |
CVE-2026-1327
A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B2021
|
| 52 |
CVE-2026-32052
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability i
|
| 52 |
CVE-2020-37019
Orchard Core RC1 contains a persistent cross-site scripting vulnerability that a
|
| 52 |
CVE-2020-37014
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |