Total CVEs
16355
last 90 days
Avg Priority
36.8
of max 220
KEV
39
actively exploited
POC
3336
public exploits
Unpatched
4722
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 41 |
CVE-2025-13691
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive inform
|
| 41 |
CVE-2025-70614
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken
|
| 41 |
CVE-2026-28678
DSA Study Hub is an interactive educational web application. Prior to commit d52
|
| 41 |
CVE-2026-24470
Skipper is an HTTP router and reverse proxy for service composition. Prior to ve
|
| 41 |
CVE-2026-26263
GLPI is a free asset and IT management software package. From 11.0.0 to before 1
|
| 41 |
CVE-2026-27732
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideo
|
| 41 |
CVE-2026-33010
mcp-memory-service is an open-source memory backend for multi-agent systems. Pri
|
| 41 |
CVE-2026-26417
A broken access control vulnerability in the password reset functionality of Tat
|
| 41 |
CVE-2025-71056
Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows at
|
| 41 |
CVE-2026-30844
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 ar
|
| 41 |
CVE-2026-25767
LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an
|
| 41 |
CVE-2025-12805
A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vuln
|
| 41 |
CVE-2026-31898
### Impact
User control of arguments of the `createAnnotation` method allows us
|
| 41 |
CVE-2026-33043
### Summary
`/objects/phpsessionid.json.php` exposes the current PHP session ID
|
| 41 |
CVE-2026-22193
wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubs
|
| 41 |
CVE-2026-33316
### Summary
A flaw in Vikunja’s password reset logic allows disabled users to r
|
| 41 |
CVE-2026-33149
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 41 |
CVE-2026-29189
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 41 |
CVE-2026-38530
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadControll
|
| 41 |
CVE-2026-38532
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonControl
|
| 41 |
CVE-2026-24901
Outline is a service that allows for collaborative documentation. Prior to 1.4.0
|
| 41 |
CVE-2026-34581
### Summary
When using the `Share Token` it is possible to bypass the limited se
|
| 41 |
CVE-2026-32610
## Summary
The Glances REST API web server ships with a default CORS configurat
|
| 41 |
CVE-2026-28447
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vu
|
| 41 |
CVE-2026-35045
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 41 |
CVE-2026-32300
# Security Advisory - My Page Profile Update (Improper Authorization)
## Summar
|
| 41 |
CVE-2026-33678
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 41 |
CVE-2026-32726
SciTokens C++ is a minimal library for creating and using SciTokens from C or C+
|
| 41 |
CVE-2026-31836
Checkmate is an open-source, self-hosted tool designed to track and monitor serv
|
| 41 |
CVE-2026-2626
The divi-booster WordPress plugin before 5.0.2 does not have authorization and C
|
| 41 |
CVE-2026-32716
SciTokens is a reference library for generating and using SciTokens. Prior to ve
|
| 41 |
CVE-2026-27608
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In ver
|
| 41 |
CVE-2026-34055
OpenEMR is a free and open source electronic health records and medical practice
|
| 41 |
CVE-2026-5373
An issue that allowed all-organization administrators to promote accounts to sup
|
| 41 |
CVE-2026-33142
The fix for GHSA-p5g2-jm85-8g35 (ClickHouse SQL injection via aggregate query pa
|
| 41 |
CVE-2026-39341
ChurchCRM is an open-source church management system. Prior to 7.1.0, The applic
|
| 41 |
CVE-2026-33651
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 41 |
CVE-2025-54550
The example example_xcom that was included in airflow documentation implemented
|
| 41 |
CVE-2026-29096
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 41 |
CVE-2026-39340
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL inje
|
| 41 |
CVE-2026-27196
Statmatic is a Laravel and Git powered content management system (CMS). Versions
|
| 41 |
CVE-2026-3558
Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authenticat
|
| 41 |
CVE-2026-3559
Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass
|
| 41 |
CVE-2026-4636
A flaw was found in Keycloak. An authenticated user with the uma_protection role
|
| 41 |
CVE-2026-25357
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaro
|
| 41 |
CVE-2026-22510
Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodysch
|
| 41 |
CVE-2026-23971
Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allo
|
| 41 |
CVE-2026-22505
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records
|
| 41 |
CVE-2026-27192
Feathersjs is a framework for creating web APIs and real-time applications with
|
| 41 |
CVE-2026-29187
OpenEMR is a free and open source electronic health records and medical practice
|
| 41 |
CVE-2025-62501
SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserve
|
| 41 |
CVE-2025-65128
A missing authentication mechanism in the web management API components of Shenz
|
| 41 |
CVE-2026-5785
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Mana
|
| 41 |
CVE-2021-35486
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.
|
| 41 |
CVE-2025-14975
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a p
|
| 41 |
CVE-2025-69621
An arbitrary file overwrite vulnerability in the file import process of Comic Bo
|
| 41 |
CVE-2025-13982
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction
|
| 41 |
CVE-2026-30707
An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FE
|
| 41 |
CVE-2025-14472
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub all
|
| 41 |
CVE-2026-30911
Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability
|
| 41 |
CVE-2025-59541
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site
|
| 41 |
CVE-2025-55046
MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to p
|
| 41 |
CVE-2026-28891
A race condition was addressed with additional validation. This issue is fixed i
|
| 41 |
CVE-2026-21989
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp
|
| 41 |
CVE-2026-40784
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan
|
| 41 |
CVE-2026-25334
Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking Syst
|
| 41 |
CVE-2025-69039
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 41 |
CVE-2026-32488
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user
|
| 41 |
CVE-2026-22267
Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorre
|
| 41 |
CVE-2026-24373
Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic cust
|
| 41 |
CVE-2026-28817
A race condition was addressed with improved state handling. This issue is fixed
|
| 41 |
CVE-2026-34394
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 41 |
CVE-2026-39394
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 41 |
CVE-2026-22202
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that
|
| 41 |
CVE-2026-23750
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buf
|
| 41 |
CVE-2026-32302
## Summary
In affected versions of `openclaw`, browser-originated WebSocket conn
|
| 41 |
CVE-2026-39393
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 41 |
CVE-2025-10856
Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Softwar
|
| 41 |
CVE-2026-40200
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory co
|
| 41 |
CVE-2026-33649
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 41 |
CVE-2026-20990
Improper export of android application components in Secure Folder prior to SMR
|
| 41 |
CVE-2026-40070
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2,
|
| 41 |
CVE-2026-25060
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate v
|
| 41 |
CVE-2026-3605
An authenticated user with access to a kvv2 path through a policy containing a g
|
| 41 |
CVE-2026-29067
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1
|
| 41 |
CVE-2026-21721
The dashboard permissions API does not verify the target dashboard scope and onl
|
| 41 |
CVE-2026-1530
A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to
|
| 41 |
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerabil
|
| 41 |
CVE-2026-4478
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_201710241
|
| 41 |
CVE-2026-4434
Improper certificate validation in the PAM propagation WinRM connections
allows
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |