Total CVEs
16242
last 90 days
Avg Priority
36.7
of max 220
KEV
39
actively exploited
POC
3310
public exploits
Unpatched
4684
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 47 |
CVE-2026-32922
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in devic
|
| 47 |
CVE-2025-67491
OpenEMR is a free and open source electronic health records and medical practice
|
| 47 |
CVE-2026-2953
A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the fu
|
| 47 |
CVE-2026-33758
### Impact
OpenBao installations that have an OIDC/JWT authentication method en
|
| 47 |
CVE-2026-27028
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-22552
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to
|
| 47 |
CVE-2026-26051
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to
|
| 47 |
CVE-2026-26953
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 47 |
CVE-2026-24127
Typemill is a flat-file, Markdown-based CMS designed for informational documenta
|
| 47 |
CVE-2026-40173
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior
|
| 47 |
CVE-2026-24042
Appsmith is a platform to build admin panels, internal tools, and dashboards. In
|
| 47 |
CVE-2025-70833
An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated
|
| 47 |
CVE-2026-27767
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-24731
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-20781
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-25851
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-27772
WebSocket endpoints lack proper authentication mechanisms, enabling
attackers t
|
| 47 |
CVE-2026-34406
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-ba
|
| 47 |
CVE-2026-26980
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 all
|
| 47 |
CVE-2025-54816
This vulnerability occurs when a WebSocket endpoint does not enforce
proper aut
|
| 47 |
CVE-2026-26288
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to
|
| 47 |
CVE-2019-25312
InoERP 0.7.2 contains a persistent cross-site scripting vulnerability in the com
|
| 47 |
CVE-2026-33716
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 47 |
CVE-2025-15582
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacte
|
| 47 |
CVE-2026-33728
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered
|
| 47 |
CVE-2026-3199
A vulnerability in the task management component of Sonatype Nexus Repository ve
|
| 47 |
CVE-2021-47870
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scri
|
| 47 |
CVE-2026-40157
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the rec
|
| 47 |
CVE-2025-4319
Improper Restriction of Excessive Authentication Attempts, Weak Password Recover
|
| 47 |
CVE-2026-33707
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, th
|
| 47 |
CVE-2026-30224
OliveTin gives access to predefined shell commands from a web interface. Prior t
|
| 47 |
CVE-2026-35030
### Impact
When JWT authentication is enabled (`enable_jwt_auth: true`), the O
|
| 47 |
CVE-2026-2551
A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerab
|
| 47 |
CVE-2025-68018
Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce wo
|
| 47 |
CVE-2020-36993
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Su
|
| 47 |
CVE-2025-8668
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 47 |
CVE-2026-23887
Group-Office is an enterprise customer relationship management and groupware too
|
| 47 |
CVE-2026-23960
Argo Workflows is an open source container-native workflow engine for orchestrat
|
| 47 |
CVE-2026-26377
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote atta
|
| 47 |
CVE-2019-25400
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vul
|
| 47 |
CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 47 |
CVE-2026-2957
A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts
|
| 47 |
CVE-2025-52024
A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-
|
| 47 |
CVE-2026-34989
## Summary
### **Vulnerability 1: Stored DOM XSS via Profile Name Update (Persis
|
| 47 |
CVE-2025-57681
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4
|
| 47 |
CVE-2025-70458
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainChecker
|
| 47 |
CVE-2026-33114
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized at
|
| 47 |
CVE-2026-32190
Use after free in Microsoft Office allows an unauthorized attacker to execute co
|
| 47 |
CVE-2026-2849
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781
|
| 47 |
CVE-2026-33115
Use after free in Microsoft Office Word allows an unauthorized attacker to execu
|
| 47 |
CVE-2026-3761
A flaw has been found in SourceCodester Client Database Management System 1.0. T
|
| 47 |
CVE-2026-4739
Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (
|
| 47 |
CVE-2026-4734
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerab
|
| 47 |
CVE-2026-4738
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerab
|
| 47 |
CVE-2026-4404
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allow
|
| 47 |
CVE-2025-69614
Incorrect Access Control via activation token reuse on the password-reset endpoi
|
| 47 |
CVE-2025-70296
A stored HTML injection vulnerability in the Recipe Notes rendering component in
|
| 47 |
CVE-2026-23630
Docmost is open-source collaborative wiki and documentation software. In version
|
| 47 |
CVE-2026-3268
A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected el
|
| 47 |
CVE-2026-39397
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual
|
| 47 |
CVE-2026-1709
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does n
|
| 47 |
CVE-2026-28806
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-o
|
| 47 |
CVE-2026-25889
File Browser provides a file managing interface within a specified directory and
|
| 47 |
CVE-2026-32898
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerabili
|
| 47 |
CVE-2026-32978
OpenClaw before 2026.3.11 contains an approval integrity vulnerability where sys
|
| 47 |
CVE-2026-24855
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 ha
|
| 47 |
CVE-2026-25500
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, a
|
| 47 |
CVE-2026-24903
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-
|
| 47 |
CVE-2026-27147
GetSimple CMS is a content management system. All versions of GetSimple CMS are
|
| 47 |
CVE-2026-27458
LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and be
|
| 47 |
CVE-2020-36988
PDW File Browser version 1.3 contains stored and reflected cross-site scripting
|
| 47 |
CVE-2026-25573
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 47 |
CVE-2026-30520
A Blind SQL Injection vulnerability exists in SourceCodester Loan Management Sys
|
| 47 |
CVE-2025-9208
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 47 |
CVE-2026-26188
Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building too
|
| 47 |
CVE-2026-39342
ChurchCRM is an open-source church management system. Prior to 7.1.0, the search
|
| 47 |
CVE-2025-13672
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 47 |
CVE-2026-37338
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Inj
|
| 47 |
CVE-2026-29175
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XS
|
| 47 |
CVE-2026-26059
ChurchCRM is an open-source church management system. In versions prior to 6.8.2
|
| 47 |
CVE-2026-2298
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection
|
| 47 |
CVE-2019-25367
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulner
|
| 47 |
CVE-2026-27621
TypiCMS is a multilingual content management system based on the Laravel framewo
|
| 47 |
CVE-2021-47817
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authen
|
| 47 |
CVE-2026-21866
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vu
|
| 47 |
CVE-2026-27742
Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability
|
| 47 |
CVE-2026-24476
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a m
|
| 47 |
CVE-2025-15573
The affected devices do not validate the server certificate when connecting to t
|
| 47 |
CVE-2019-25390
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 47 |
CVE-2026-32895
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in mem
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |