Total CVEs
16299
last 90 days
Avg Priority
36.8
of max 220
KEV
42
actively exploited
POC
3306
public exploits
Unpatched
4707
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-24609
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-24635
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-25027
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-22402
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2024-54263
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-20401
In Modem, there is a possible system crash due to an uncaught exception. This co
|
| 38 |
CVE-2025-68913
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2025-10990
A flaw was found in REXML. A remote attacker could exploit inefficient regular e
|
| 38 |
CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exist
|
| 38 |
CVE-2026-0560
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms ver
|
| 38 |
CVE-2026-22179
OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an al
|
| 38 |
CVE-2026-1988
The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulner
|
| 38 |
CVE-2026-27623
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior
|
| 38 |
CVE-2026-0109
In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due t
|
| 38 |
CVE-2026-0599
A vulnerability in huggingface/text-generation-inference version 3.3.6 allows un
|
| 38 |
CVE-2026-28276
Initiative is a self-hosted project management platform. An access control vulne
|
| 38 |
CVE-2026-0790
ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerab
|
| 38 |
CVE-2026-32241
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel
|
| 38 |
CVE-2026-0789
ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response
|
| 38 |
CVE-2026-32130
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.
|
| 38 |
CVE-2026-28039
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27052
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27343
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-25326
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27633
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prio
|
| 38 |
CVE-2026-27630
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prio
|
| 38 |
CVE-2025-70084
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain a
|
| 38 |
CVE-2026-1708
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin p
|
| 38 |
CVE-2026-2232
The Product Table and List Builder for WooCommerce Lite plugin for WordPress is
|
| 38 |
CVE-2026-33218
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 38 |
CVE-2026-0919
The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles request
|
| 38 |
CVE-2026-5959
A security flaw has been discovered in GL.iNet GL-RM1, GL-RM10, GL-RM10RC and GL
|
| 38 |
CVE-2026-1916
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unautho
|
| 38 |
CVE-2026-2507
When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM
|
| 38 |
CVE-2026-4645
A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker
|
| 38 |
CVE-2025-68841
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2025-69373
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2025-69387
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-32537
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-22356
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-25869
MiniGal Nano versions 0.3.5 and prior contain a path traversal vulnerability in
|
| 38 |
CVE-2026-3180
The Contest Gallery - Upload & Vote Photos, Media, Sell with PayPal & Stripe plu
|
| 38 |
CVE-2026-2495
The WPNakama - Team and multi-Client Collaboration, Editorial and Project Manage
|
| 38 |
CVE-2026-32969
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vu
|
| 38 |
CVE-2025-66608
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 38 |
CVE-2026-39863
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.
|
| 38 |
CVE-2025-69383
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-35523
Strawberry up until version `0.312.3` is vulnerable to an authentication bypass
|
| 38 |
CVE-2026-32071
Null pointer dereference in Windows Local Security Authority Subsystem Service (
|
| 38 |
CVE-2026-4373
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via
|
| 38 |
CVE-2026-0490
SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a sp
|
| 38 |
CVE-2026-2250
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authenticati
|
| 38 |
CVE-2026-3360
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 38 |
CVE-2026-21309
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 38 |
CVE-2026-27950
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 38 |
CVE-2026-21289
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 38 |
CVE-2026-33203
## Summary
The SiYuan kernel WebSocket server accepts unauthenticated connection
|
| 38 |
CVE-2026-28478
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability i
|
| 38 |
CVE-2025-69534
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se
|
| 38 |
CVE-2026-33012
`DefaultHtmlErrorResponseBodyProvider` in `io.micronaut:micronaut-http-server` s
|
| 38 |
CVE-2025-69807
p2r3 Bareiron commit: 8e4d4020d is vulnerable to Buffer Overflow, which allows u
|
| 38 |
CVE-2026-20119
A vulnerability in the text rendering subsystem of Cisco TelePresence Collaborat
|
| 38 |
CVE-2026-24734
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
|
| 38 |
CVE-2026-27443
SEPPmail Secure Email Gateway before version 15.0.1 does not properly sanitize t
|
| 38 |
CVE-2026-26121
Server-side request forgery (ssrf) in Azure IoT Explorer allows an unauthorized
|
| 38 |
CVE-2026-26418
Missing authentication and authorization in the web API of Tata Consultancy Serv
|
| 38 |
CVE-2026-24714
Some end of service NETGEAR products provide "TelnetEnable" functionality, which
|
| 38 |
CVE-2026-40245
### Summary
An information disclosure vulnerability in the UDR service allows an
|
| 38 |
CVE-2026-27818
TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building
|
| 38 |
CVE-2026-26144
Improper neutralization of input during web page generation ('cross-site scripti
|
| 38 |
CVE-2025-53968
This vulnerability arises because there are no limitations on the number
of aut
|
| 38 |
CVE-2026-39312
SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5
|
| 38 |
CVE-2026-2576
The Business Directory Plugin - Easy Listing Directories for WordPress plugin fo
|
| 38 |
CVE-2026-1581
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection
|
| 38 |
CVE-2026-2024
The PhotoStack Gallery plugin for WordPress is vulnerable to SQL Injection via t
|
| 38 |
CVE-2026-2416
The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort
|
| 38 |
CVE-2026-26305
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-22905
An unauthenticated remote attacker can bypass authentication by exploiting insuf
|
| 38 |
CVE-2026-0911
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 38 |
CVE-2026-28718
Denial of service due to insufficient input validation in authentication logging
|
| 38 |
CVE-2026-23674
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauth
|
| 38 |
CVE-2025-12707
The Library Management System plugin for WordPress is vulnerable to SQL Injectio
|
| 38 |
CVE-2026-30939
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 38 |
CVE-2026-2020
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection i
|
| 38 |
CVE-2026-5201
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vuln
|
| 38 |
CVE-2026-21520
Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio all
|
| 38 |
CVE-2026-2753
An Absolute Path Traversal vulnerability exists in Navtor NavBox. The applicatio
|
| 38 |
CVE-2025-62817
An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 148
|
| 38 |
CVE-2026-23957
seroval facilitates JS value stringification, including complex structures beyon
|
| 38 |
CVE-2026-28453
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths du
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |