Total CVEs
16329
last 90 days
Avg Priority
36.8
of max 220
KEV
42
actively exploited
POC
3311
public exploits
Unpatched
4720
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 47 |
CVE-2020-36988
PDW File Browser version 1.3 contains stored and reflected cross-site scripting
|
| 47 |
CVE-2026-25573
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 47 |
CVE-2026-30520
A Blind SQL Injection vulnerability exists in SourceCodester Loan Management Sys
|
| 47 |
CVE-2025-9208
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 47 |
CVE-2026-26059
ChurchCRM is an open-source church management system. In versions prior to 6.8.2
|
| 47 |
CVE-2026-29175
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XS
|
| 47 |
CVE-2025-13672
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 47 |
CVE-2026-37338
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Inj
|
| 47 |
CVE-2026-39342
ChurchCRM is an open-source church management system. Prior to 7.1.0, the search
|
| 47 |
CVE-2026-26188
Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building too
|
| 47 |
CVE-2026-2298
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection
|
| 47 |
CVE-2019-25367
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulner
|
| 47 |
CVE-2026-27621
TypiCMS is a multilingual content management system based on the Laravel framewo
|
| 47 |
CVE-2021-47817
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authen
|
| 47 |
CVE-2026-21866
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vu
|
| 47 |
CVE-2026-27742
Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability
|
| 47 |
CVE-2026-24476
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a m
|
| 47 |
CVE-2025-15573
The affected devices do not validate the server certificate when connecting to t
|
| 47 |
CVE-2026-32895
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in mem
|
| 47 |
CVE-2019-25390
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 47 |
CVE-2025-15611
The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces i
|
| 47 |
CVE-2026-33740
EspoCRM is an open source customer relationship management application. In versi
|
| 47 |
CVE-2026-30527
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Onlin
|
| 47 |
CVE-2025-15445
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-aj
|
| 47 |
CVE-2025-66630
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go
|
| 47 |
CVE-2026-2109
A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected
|
| 47 |
CVE-2026-2973
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7
|
| 47 |
CVE-2025-52025
An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint o
|
| 47 |
CVE-2019-25368
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag
|
| 47 |
CVE-2026-25569
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 47 |
CVE-2026-25570
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7).
|
| 47 |
CVE-2025-70960
A stored cross-site scripting (XSS) vulnerability in the Forums module of Tenden
|
| 47 |
CVE-2025-70959
A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci
|
| 47 |
CVE-2020-37044
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via
|
| 47 |
CVE-2026-24043
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control
|
| 47 |
CVE-2026-23476
FacturaScripts is open-source enterprise resource planning and accounting softwa
|
| 47 |
CVE-2026-25483
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC
|
| 47 |
CVE-2026-25581
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an
|
| 47 |
CVE-2026-33026
## Summary
The `nginx-ui` backup restore mechanism allows attackers to tamper wi
|
| 47 |
CVE-2026-24034
Horilla is a free and open source Human Resource Management System (HRMS). In ve
|
| 47 |
CVE-2025-71177
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scr
|
| 47 |
CVE-2026-1337
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and
|
| 47 |
CVE-2025-70368
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerabilit
|
| 47 |
CVE-2026-29177
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3
|
| 47 |
CVE-2026-26997
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #
|
| 47 |
CVE-2026-35178
Workbench is a suite of tools for administrators and developers to interact with
|
| 47 |
CVE-2019-25377
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the sys
|
| 47 |
CVE-2025-69207
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an
|
| 47 |
CVE-2026-33701
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoin
|
| 47 |
CVE-2026-5532
A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affe
|
| 47 |
CVE-2026-35002
Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability
|
| 47 |
CVE-2026-30869
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traver
|
| 47 |
CVE-2026-35047
Brave CMS is an open-source CMS. Prior to 2.0.6, an Unrestricted File Upload vul
|
| 47 |
CVE-2026-4809
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous fil
|
| 47 |
CVE-2026-25858
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability
|
| 47 |
CVE-2026-4681
A critical remote code execution (RCE) vulnerability has been reported in PTC Wi
|
| 47 |
CVE-2026-22898
A missing authentication for critical function vulnerability has been reported t
|
| 47 |
CVE-2026-32985
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbit
|
| 47 |
CVE-2026-4810
A Code Injection and Missing Authentication vulnerability in Google Agent Develo
|
| 47 |
CVE-2026-21902
An Incorrect Permission Assignment for Critical Resource vulnerability in the On
|
| 47 |
CVE-2017-20224
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upl
|
| 47 |
CVE-2026-22207
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken ac
|
| 47 |
CVE-2026-6108
A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element
|
| 47 |
CVE-2026-4199
A vulnerability was identified in bazinga012 mcp_code_executor up to 0.3.0. Affe
|
| 47 |
CVE-2026-4496
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5
|
| 47 |
CVE-2025-12462
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote un
|
| 47 |
CVE-2026-34078
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1
|
| 47 |
CVE-2026-34424
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-st
|
| 47 |
CVE-2026-24307
Improper validation of specified type of input in M365 Copilot allows an unautho
|
| 47 |
CVE-2026-40044
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticate
|
| 47 |
CVE-2026-35033
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 c
|
| 47 |
CVE-2026-1684
A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is
|
| 47 |
CVE-2026-40189
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces
|
| 47 |
CVE-2026-1587
A vulnerability has been found in Open5GS up to 2.7.6. The affected element is t
|
| 47 |
CVE-2026-1586
A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_
|
| 47 |
CVE-2026-2062
A vulnerability was identified in Open5GS up to 2.7.6. This affects the function
|
| 47 |
CVE-2026-33439
## Summary
OpenIdentityPlatform OpenAM 16.0.5 (and likely earlier versions) is
|
| 47 |
CVE-2026-40035
dfir-unfurl through 20250810 contains an improper input validation vulnerability
|
| 47 |
CVE-2026-27243
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cro
|
| 47 |
CVE-2026-27245
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cro
|
| 47 |
CVE-2026-27246
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cro
|
| 47 |
CVE-2026-34977
Aperi'Solve is an open-source steganalysis web platform. Prior to 3.2.1, when up
|
| 47 |
CVE-2026-1521
A security flaw has been discovered in Open5GS up to 2.7.6. This affects the fun
|
| 47 |
CVE-2026-30849
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to
|
| 47 |
CVE-2026-1738
A flaw has been found in Open5GS up to 2.7.6. The impacted element is the functi
|
| 47 |
CVE-2026-1737
A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the
|
| 47 |
CVE-2025-71279
XenForo before 2.3.7 contains a security issue affecting Passkeys that have been
|
| 47 |
CVE-2026-1976
A weakness has been identified in Free5GC up to 4.1.0. Affected is the function
|
| 47 |
CVE-2026-1975
A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the fun
|
| 47 |
CVE-2026-1973
A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is t
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |