Total CVEs
16300
last 90 days
Avg Priority
36.8
of max 220
KEV
42
actively exploited
POC
3306
public exploits
Unpatched
4707
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-33636
LIBPNG is a reference library for use in applications that read, create, and man
|
| 38 |
CVE-2026-32308
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 38 |
CVE-2026-32117
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and
|
| 38 |
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored c
|
| 38 |
CVE-2026-33932
OpenEMR is a free and open source electronic health records and medical practice
|
| 38 |
CVE-2026-33918
OpenEMR is a free and open source electronic health records and medical practice
|
| 38 |
CVE-2026-24154
NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker
|
| 38 |
CVE-2026-33650
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 38 |
CVE-2026-31944
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3,
|
| 38 |
CVE-2026-2476
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configurat
|
| 38 |
CVE-2026-29954
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have
|
| 38 |
CVE-2026-34365
InvoiceShelf is an open-source web & mobile app that helps track expenses, payme
|
| 38 |
CVE-2026-34367
InvoiceShelf is an open-source web & mobile app that helps track expenses, payme
|
| 38 |
CVE-2026-34366
InvoiceShelf is an open-source web & mobile app that helps track expenses, payme
|
| 38 |
CVE-2026-39479
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-40745
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-32358
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-39497
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-39466
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-32458
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-32418
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-39496
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-39487
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-5301
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthe
|
| 38 |
CVE-2026-35568
### Summary
The java-sdk contains a DNS rebinding vulnerability. This vulnerabi
|
| 38 |
CVE-2025-7760
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 38 |
CVE-2026-2469
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to
|
| 38 |
CVE-2026-32303
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version
|
| 38 |
CVE-2025-40587
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5),
|
| 38 |
CVE-2026-26322
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Ga
|
| 38 |
CVE-2026-32606
The default configuration of systemd-cryptenroll as used by IncusOS through mkos
|
| 38 |
CVE-2026-23775
Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD O
|
| 38 |
CVE-2025-8589
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 38 |
CVE-2025-14914
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a
|
| 38 |
CVE-2026-24836
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 38 |
CVE-2026-24837
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 38 |
CVE-2025-64487
Outline is a service that allows for collaborative documentation. Prior to 1.1.0
|
| 38 |
CVE-2026-32317
Cryptomator for Android offers multi-platform transparent client-side encryption
|
| 38 |
CVE-2026-32318
Cryptomator for IOS offers multi-platform transparent client-side encryption for
|
| 38 |
CVE-2026-5466
wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s`
|
| 38 |
CVE-2026-5479
In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EV
|
| 38 |
CVE-2026-32144
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_o
|
| 38 |
CVE-2025-63029
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-40882
### Summary
The Velbus asset import path parses attacker-controlled XML without
|
| 38 |
CVE-2026-28429
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path
|
| 38 |
CVE-2026-40901
DataEase is an open-source data visualization and analytics platform. Versions 2
|
| 38 |
CVE-2026-35485
text-generation-webui is an open-source web interface for running Large Language
|
| 38 |
CVE-2026-34188
Improper Neutralization of Special Elements used in an OS Command vulnerability
|
| 38 |
CVE-2024-4027
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequ
|
| 38 |
CVE-2026-30996
An issue in the file handling logic of the component download.php of SAC-NFe v2.
|
| 38 |
CVE-2026-22205
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability cau
|
| 38 |
CVE-2025-61611
In modem, there is a possible improper input validation. This could lead to remo
|
| 38 |
CVE-2026-23737
seroval facilitates JS value stringification, including complex structures beyon
|
| 38 |
CVE-2026-4155
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Informat
|
| 38 |
CVE-2026-2339
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Sof
|
| 38 |
CVE-2026-33013
Micronaut Framework is a JVM-based full stack Java framework designed for buildi
|
| 38 |
CVE-2026-33250
Freeciv21 is a free open source, turn-based, empire-building strategy game. Vers
|
| 38 |
CVE-2026-27282
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Inpu
|
| 38 |
CVE-2026-25071
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain
|
| 38 |
CVE-2026-33064
**Impact**
This is a NULL Pointer Dereference vulnerability leading to Denial
|
| 38 |
CVE-2025-69420
Issue summary: A type confusion vulnerability exists in the TimeStamp Response
v
|
| 38 |
CVE-2026-33485
## Summary
The RTMP `on_publish` callback at `plugin/Live/on_publish.php` is ac
|
| 38 |
CVE-2026-4157
ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vul
|
| 38 |
CVE-2026-34070
## Summary
Multiple functions in `langchain_core.prompts.loading` read files fr
|
| 38 |
CVE-2026-31882
# SSE Authentication Bypass in Basic Auth Mode
## Summary
When Dagu is configu
|
| 38 |
CVE-2025-15349
Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This
|
| 38 |
CVE-2026-30653
An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denia
|
| 38 |
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still us
|
| 38 |
CVE-2026-1376
IBM i 7.6 could allow a remote attacker to cause a denial of service using faile
|
| 38 |
CVE-2026-1315
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C52
|
| 38 |
CVE-2025-46290
A logic issue was addressed with improved checks. This issue is fixed in macOS S
|
| 38 |
CVE-2026-29609
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability i
|
| 38 |
CVE-2026-25673
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4
|
| 38 |
CVE-2026-32931
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
|
| 38 |
CVE-2026-3222
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection
|
| 38 |
CVE-2026-21511
Deserialization of untrusted data in Microsoft Office Outlook allows an unauthor
|
| 38 |
CVE-2025-61612
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61613
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61614
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-69279
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61616
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61615
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-69278
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2026-20652
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 38 |
CVE-2026-26154
Improper input validation in Windows Server Update Service allows an unauthorize
|
| 38 |
CVE-2026-33483
## Summary
The `aVideoEncoderChunk.json.php` endpoint is a completely standalon
|
| 38 |
CVE-2026-1557
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in
|
| 38 |
CVE-2025-68905
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-30846
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 throug
|
| 38 |
CVE-2026-24608
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |