Total CVEs
16347
last 90 days
Avg Priority
36.7
of max 220
KEV
39
actively exploited
POC
3315
public exploits
Unpatched
4724
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 32 |
CVE-2026-2563
A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533
|
| 32 |
CVE-2026-2562
A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533
|
| 32 |
CVE-2026-2561
A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Thi
|
| 32 |
CVE-2026-34481
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/j
|
| 32 |
CVE-2026-40021
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configurat
|
| 32 |
CVE-2026-40023
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cx
|
| 32 |
CVE-2026-2697
An Indirect Object Reference (IDOR) in Security Center allows an authenticated r
|
| 32 |
CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68
|
| 32 |
CVE-2026-1200
A flaw was found in the rgaufman/live555 fork of live555. A remote attacker coul
|
| 32 |
CVE-2026-35656
OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the
|
| 32 |
CVE-2025-68552
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 32 |
CVE-2026-5724
The frontend gRPC server's streaming interceptor chain did not include the autho
|
| 32 |
CVE-2026-3739
A security flaw has been discovered in suitenumerique messages 0.2.0. This issue
|
| 32 |
CVE-2026-34525
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python.
|
| 32 |
CVE-2026-3965
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affe
|
| 32 |
CVE-2026-24125
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows use
|
| 32 |
CVE-2026-33751
n8n is an open source workflow automation platform. Prior to versions 1.123.27,
|
| 32 |
CVE-2026-39421
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 32 |
CVE-2026-25118
immich is a high performance self-hosted photo and video management solution. Pr
|
| 32 |
CVE-2026-31999
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current worki
|
| 32 |
CVE-2026-2536
A vulnerability was determined in opencc JFlow up to 20260129. This affects the
|
| 32 |
CVE-2026-1413
A vulnerability was found in Sangfor Operation and Maintenance Security Manageme
|
| 32 |
CVE-2026-39859
`liquidjs` 10.25.0 documents `root` as constraining filenames passed to `renderF
|
| 32 |
CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 32 |
CVE-2026-3209
A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects
|
| 32 |
CVE-2026-2206
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affe
|
| 32 |
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the
|
| 32 |
CVE-2026-5302
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthentica
|
| 32 |
CVE-2026-1895
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimi
|
| 32 |
CVE-2026-2532
A vulnerability was detected in lintsinghua DeepAudit up to 3.0.3. This issue af
|
| 32 |
CVE-2026-1596
A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the
|
| 32 |
CVE-2026-1977
A security vulnerability has been detected in isaacwasserman mcp-vegalite-server
|
| 32 |
CVE-2026-35646
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulner
|
| 32 |
CVE-2025-15325
Tanium addressed an improper input validation vulnerability in Discover.
|
| 32 |
CVE-2026-1896
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerabili
|
| 32 |
CVE-2026-3961
A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3.
|
| 32 |
CVE-2026-4039
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affec
|
| 32 |
CVE-2026-2930
A vulnerability was identified in Tenda A18 15.13.07.13. The affected element is
|
| 32 |
CVE-2026-28810
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP ker
|
| 32 |
CVE-2026-28809
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attac
|
| 32 |
CVE-2026-32128
FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Pytho
|
| 32 |
CVE-2026-2665
A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c
|
| 32 |
CVE-2026-34508
OpenClaw before 2026.3.12 applies rate limiting only after webhook authenticatio
|
| 32 |
CVE-2026-5123
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the funct
|
| 32 |
CVE-2026-6179
Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows att
|
| 32 |
CVE-2026-29138
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a spec
|
| 32 |
CVE-2026-35623
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webh
|
| 32 |
CVE-2026-39841
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-39837
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-33994
## Summary
A prototype pollution vulnerability exists in the `parse_str` functi
|
| 32 |
CVE-2024-43181
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which c
|
| 32 |
CVE-2026-5022
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any a
|
| 32 |
CVE-2025-60012
Malicious configuration can lead to unauthorized file access in Apache Livy.
Th
|
| 32 |
CVE-2026-5360
A vulnerability has been found in Free5GC 4.2.0. The affected element is an unkn
|
| 32 |
CVE-2026-5246
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the f
|
| 32 |
CVE-2026-33429
### Impact
An attacker can subscribe to LiveQuery with a `watch` parameter targ
|
| 32 |
CVE-2026-2954
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function impo
|
| 32 |
CVE-2025-36377
IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a
|
| 32 |
CVE-2025-36376
IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a
|
| 32 |
CVE-2026-39839
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vu
|
| 32 |
CVE-2026-4621
Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a
|
| 32 |
CVE-2026-3955
A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by t
|
| 32 |
CVE-2026-34451
Claude SDK for TypeScript provides access to the Claude API from server-side Typ
|
| 32 |
CVE-2026-3733
A vulnerability was detected in xuxueli xxl-job up to 3.3.2. This impacts an unk
|
| 32 |
CVE-2026-3977
A security vulnerability has been detected in projectsend up to r1945. The affec
|
| 32 |
CVE-2026-33347
### Impact
The `DomainFilteringAdapter` in the Embed extension is vulnerable to
|
| 32 |
CVE-2026-1592
Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulner
|
| 32 |
CVE-2026-1591
Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulner
|
| 32 |
CVE-2026-27481
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2026-5460
A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC
|
| 32 |
CVE-2026-2209
A vulnerability was detected in WeKan up to 8.18. The affected element is the fu
|
| 32 |
CVE-2026-33458
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to informa
|
| 32 |
CVE-2025-15612
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnera
|
| 32 |
CVE-2026-3725
A flaw has been found in 1024-lab/lab1024 SmartAdmin up to 3.29. Affected by thi
|
| 32 |
CVE-2026-33074
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a
|
| 32 |
CVE-2026-21629
The ajax component was excluded from the default logged-in-user check in the adm
|
| 32 |
CVE-2026-3697
A vulnerability was determined in Planet ICG-2510 1.0_20250811. The impacted ele
|
| 32 |
CVE-2026-29132
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with acce
|
| 32 |
CVE-2026-3967
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this is
|
| 32 |
CVE-2026-3682
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. T
|
| 32 |
CVE-2026-3992
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1.
|
| 32 |
CVE-2026-3968
A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affec
|
| 32 |
CVE-2026-32619
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 32 |
CVE-2025-27898
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session
|
| 32 |
CVE-2026-2558
A flaw has been found in GeekAI up to 4.2.4. The affected element is the functio
|
| 32 |
CVE-2025-13688
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authentic
|
| 32 |
CVE-2025-13687
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authentic
|
| 32 |
CVE-2025-13686
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authentic
|
| 32 |
CVE-2026-28361
NocoDB is software for building databases as spreadsheets. Prior to version 0.30
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2305d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1203d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |