Total CVEs
16355
last 90 days
Avg Priority
36.8
of max 220
KEV
39
actively exploited
POC
3336
public exploits
Unpatched
4722
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 31 |
CVE-2025-46320
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homep
|
| 31 |
CVE-2026-1696
Some HTTP security headers are not properly set by the web server when sending r
|
| 31 |
CVE-2026-2431
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site
|
| 31 |
CVE-2026-27142
Actions which insert URLs into the content attribute of HTML meta tags are not e
|
| 31 |
CVE-2026-2427
The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripti
|
| 31 |
CVE-2026-4887
A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP’s PCX fi
|
| 31 |
CVE-2025-66880
Cross Site Scripting vulnerability in Wethink Technology Inc 720yun pano-sdk 0.5
|
| 31 |
CVE-2026-1692
A missing origin validation in WebSockets vulnerability affects the GraphicalDat
|
| 31 |
CVE-2025-36019
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site
|
| 31 |
CVE-2026-31262
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2)
|
| 31 |
CVE-2026-20170
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center
|
| 31 |
CVE-2026-32034
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerabil
|
| 31 |
CVE-2026-4358
A specially crafted aggregation query with $lookup by an authenticated user with
|
| 31 |
CVE-2026-2987
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 31 |
CVE-2026-33403
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level
|
| 31 |
CVE-2025-70797
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remot
|
| 31 |
CVE-2026-1780
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-
|
| 31 |
CVE-2026-5899
Insufficient policy enforcement in History Navigation in Google Chrome prior to
|
| 31 |
CVE-2026-27674
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (
|
| 31 |
CVE-2026-24328
SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker
|
| 31 |
CVE-2026-31860
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() c
|
| 31 |
CVE-2026-4069
The Alfie - Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site
|
| 31 |
CVE-2025-67851
A flaw was found in moodle. This formula injection vulnerability occurs when dat
|
| 31 |
CVE-2026-35199
SymCrypt is the core cryptographic function library currently used by Windows. F
|
| 31 |
CVE-2026-24128
XWiki Platform is a generic wiki platform offering runtime services for applicat
|
| 31 |
CVE-2026-39315
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() i
|
| 31 |
CVE-2026-27740
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 31 |
CVE-2026-1437
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface
|
| 31 |
CVE-2026-33209
## Description
A reflected cross-site scripting (XSS) vulnerability exists in t
|
| 31 |
CVE-2026-27570
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 31 |
CVE-2026-33140
### Summary
PySpector versions `<= 0.1.6` are affected by a stored Cross-Site Sc
|
| 31 |
CVE-2026-2098
AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerabili
|
| 31 |
CVE-2026-31859
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftc
|
| 31 |
CVE-2026-24348
Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II versi
|
| 31 |
CVE-2026-28499
### Summary
LeafKit HTML-escaping is not working correctly when a template print
|
| 31 |
CVE-2026-27502
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnera
|
| 31 |
CVE-2026-25543
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from c
|
| 31 |
CVE-2026-31868
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 31 |
CVE-2026-27970
Angular is a development platform for building mobile and desktop web applicatio
|
| 31 |
CVE-2026-32088
Concurrent execution using shared resource with improper synchronization ('race
|
| 31 |
CVE-2026-23924
Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_in
|
| 31 |
CVE-2026-20149
A vulnerability in Cisco Webex could have allowed an unauthenticated, remote att
|
| 31 |
CVE-2026-32196
Improper neutralization of input during web page generation ('cross-site scripti
|
| 31 |
CVE-2026-1643
The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Script
|
| 31 |
CVE-2026-1634
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site
|
| 31 |
CVE-2026-35186
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and
|
| 31 |
CVE-2026-27505
SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerabil
|
| 31 |
CVE-2026-33296
### Summary
WWBN/AVideo contains an open redirect vulnerability in the login fl
|
| 31 |
CVE-2026-1654
The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross
|
| 31 |
CVE-2026-31819
Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchControlle
|
| 31 |
CVE-2026-20116
A vulnerability in the web-based management interface of Cisco Finesse, Ci
|
| 31 |
CVE-2026-20117
A vulnerability in the web-based management interface of Cisco Unified Contact C
|
| 31 |
CVE-2026-20059
A vulnerability in the web-based management interface of Cisco Unity Connection
|
| 31 |
CVE-2026-1441
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface
|
| 31 |
CVE-2026-1440
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface
|
| 31 |
CVE-2026-1439
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface
|
| 31 |
CVE-2026-1438
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface
|
| 31 |
CVE-2026-2433
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plug
|
| 31 |
CVE-2026-27512
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a content
|
| 31 |
CVE-2026-27504
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnera
|
| 31 |
CVE-2026-34980
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 31 |
CVE-2026-29052
The Calendar module for HumHub enables users to create one-time or recurring eve
|
| 31 |
CVE-2026-3455
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scr
|
| 31 |
CVE-2026-31822
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting
|
| 31 |
CVE-2025-7706
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Sof
|
| 31 |
CVE-2026-0862
The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflect
|
| 31 |
CVE-2026-33885
### Impact
The external URL detection used for redirect validation on unauthenti
|
| 31 |
CVE-2026-27156
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI
|
| 31 |
CVE-2026-3825
IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability
|
| 31 |
CVE-2026-34257
Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP,
|
| 31 |
CVE-2026-35539
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exist
|
| 31 |
CVE-2026-22181
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability i
|
| 31 |
CVE-2026-30661
iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Mana
|
| 31 |
CVE-2026-30838
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the Disallow
|
| 31 |
CVE-2026-3343
A reflected cross-site scripting (XSS) vulnerability in the Fireware OS Web UI e
|
| 31 |
CVE-2026-27746
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scri
|
| 31 |
CVE-2026-1513
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript du
|
| 31 |
CVE-2026-0946
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-24426
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an imprope
|
| 31 |
CVE-2025-69317
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-69316
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-69098
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-67263
Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site script
|
| 31 |
CVE-2025-67824
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-ji
|
| 31 |
CVE-2025-53240
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-52762
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-52746
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-50006
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-50005
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 31 |
CVE-2025-52564
Chamilo is a learning management system. Prior to version 1.11.30, the open para
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |