Total CVEs
16289
last 90 days
Avg Priority
36.8
of max 220
KEV
39
actively exploited
POC
3309
public exploits
Unpatched
4713
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 31 |
CVE-2025-52475
Chamilo is a learning management system. Prior to version 1.11.30, there is a re
|
| 31 |
CVE-2026-21664
HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a refle
|
| 31 |
CVE-2026-21663
HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulne
|
| 31 |
CVE-2026-27901
Svelte performance oriented web framework. Prior to version 5.53.5, the contents
|
| 31 |
CVE-2025-62326
HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in th
|
| 31 |
CVE-2026-21642
HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulne
|
| 31 |
CVE-2026-1164
The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 31 |
CVE-2025-70037
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered
|
| 31 |
CVE-2025-70845
lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) exists in the /
|
| 31 |
CVE-2026-33933
OpenEMR is a free and open source electronic health records and medical practice
|
| 31 |
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scrip
|
| 31 |
CVE-2026-27756
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected c
|
| 31 |
CVE-2026-1434
Omega-PSIR is vulnerable to Reflected XSS via the lang parameter. An attacker ca
|
| 31 |
CVE-2025-66596
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 31 |
CVE-2026-27736
BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch
|
| 31 |
CVE-2026-27503
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnera
|
| 31 |
CVE-2025-67438
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3
|
| 31 |
CVE-2026-1877
The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request
|
| 31 |
CVE-2025-15562
The server API endpoint /report/internet/urls reflects received data into the HT
|
| 31 |
CVE-2026-2736
Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an
|
| 31 |
CVE-2025-6024
The authentication endpoint fails to encode user-supplied input before rendering
|
| 31 |
CVE-2026-39336
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored c
|
| 31 |
CVE-2026-28297
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-
|
| 31 |
CVE-2026-27154
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 31 |
CVE-2026-21961
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle
|
| 31 |
CVE-2026-39335
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is S
|
| 31 |
CVE-2026-27568
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allo
|
| 31 |
CVE-2026-34729
### Summary
The sanitization pipeline for FAQ content is:
1. `Filter::filterVar(
|
| 31 |
CVE-2026-27474
SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complem
|
| 31 |
CVE-2026-26223
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via mali
|
| 31 |
CVE-2025-71241
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the p
|
| 31 |
CVE-2026-22183
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in t
|
| 31 |
CVE-2025-45806
A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha
|
| 31 |
CVE-2026-3217
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-22192
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that
|
| 31 |
CVE-2026-1296
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to
|
| 31 |
CVE-2026-30082
Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature o
|
| 31 |
CVE-2025-59905
Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs thr
|
| 31 |
CVE-2026-34405
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6
|
| 31 |
CVE-2026-34739
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Us
|
| 31 |
CVE-2025-69993
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scriptin
|
| 31 |
CVE-2026-35466
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to disp
|
| 31 |
CVE-2025-70025
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page
|
| 31 |
CVE-2026-3529
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2025-40638
A reflected Cross-Site Scripting (XSS) vulnerability has been
found in Eventobo
|
| 31 |
CVE-2025-57543
Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on obje
|
| 31 |
CVE-2026-40186
ApostropheCMS is an open-source Node.js content management system. A regression
|
| 31 |
CVE-2026-34231
## Summary
A Cross-site Scripting (XSS) vulnerability exists in the `{% attrs %
|
| 31 |
CVE-2026-5754
Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vA
|
| 31 |
CVE-2026-30162
Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the
|
| 31 |
CVE-2026-4754
CWE-79 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects An
|
| 31 |
CVE-2026-27982
An open redirect vulnerability exists in django-allauth versions prior to 65.14.
|
| 31 |
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 31 |
CVE-2026-34206
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individu
|
| 31 |
CVE-2024-51226
A stored cross-site scripting (XSS) vulnerability in the component /admin/search
|
| 31 |
CVE-2025-65132
alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS
|
| 31 |
CVE-2026-33883
### Impact
The `user:reset_password_form` tag could render user-input directly
|
| 31 |
CVE-2025-58405
The CGM CLININET application does not implement any mechanisms that prevent clic
|
| 31 |
CVE-2026-34229
Emlog is an open source website building system. Prior to version 2.6.8, there i
|
| 31 |
CVE-2026-2349
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2025-65136
In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exi
|
| 31 |
CVE-2026-27517
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior
|
| 31 |
CVE-2026-3528
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 31 |
CVE-2026-3884
Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Script
|
| 31 |
CVE-2025-71244
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used
|
| 31 |
CVE-2026-21943
Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (compon
|
| 31 |
CVE-2026-0489
Due to insufficient validation of user-controlled input in the URLs query parame
|
| 31 |
CVE-2026-29934
A reflected cross-site scripting (XSS) vulnerability in the /admin/menus compone
|
| 31 |
CVE-2026-40255
### Impact
The `response.redirect().back()` method in `@adonisjs/http-server` i
|
| 31 |
CVE-2026-28486
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulner
|
| 31 |
CVE-2026-27191
Feathersjs is a framework for creating web APIs and real-time applications with
|
| 31 |
CVE-2026-21951
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleS
|
| 31 |
CVE-2026-21946
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards
|
| 31 |
CVE-2026-4091
The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery
|
| 31 |
CVE-2026-21938
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleS
|
| 31 |
CVE-2026-26000
XWiki Platform is a generic wiki platform offering runtime services for applicat
|
| 31 |
CVE-2026-28457
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in s
|
| 31 |
CVE-2025-61166
An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect
|
| 31 |
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente
|
| 31 |
CVE-2026-21966
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Ora
|
| 31 |
CVE-2026-28280
osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross
|
| 31 |
CVE-2026-24852
iccDEV provides a set of libraries and tools that allow for the interaction, man
|
| 31 |
CVE-2025-36173
Affected Product(s)Version(s)InfoSphere Data Architect9.2.1
|
| 31 |
CVE-2025-70032
An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered
|
| 31 |
CVE-2026-34237
### Summary
**Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )**
- ht
|
| 31 |
CVE-2026-6203
The User Registration & Membership plugin for WordPress is vulnerable to Open Re
|
| 31 |
CVE-2026-27545
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in
|
| 31 |
CVE-2025-13702
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 thro
|
| 31 |
CVE-2026-3512
The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-
|
| 31 |
CVE-2025-70844
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |