Total CVEs
16305
last 90 days
Avg Priority
36.8
of max 220
KEV
41
actively exploited
POC
3306
public exploits
Unpatched
4711
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-34625
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-40112
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoin
|
| 27 |
CVE-2026-27288
Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cr
|
| 27 |
CVE-2026-34624
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-32124
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-33911
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-2735
Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when
|
| 27 |
CVE-2026-33742
Invoice Ninja is a source-available invoice, quote, project and time-tracking ap
|
| 27 |
CVE-2026-32118
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-40212
OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scri
|
| 27 |
CVE-2026-32273
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2025-1794
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 27 |
CVE-2026-32095
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1,
|
| 27 |
CVE-2025-61886
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 27 |
CVE-2025-59904
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered
|
| 27 |
CVE-2025-59903
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG
|
| 27 |
CVE-2026-39380
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2026-34974
### Summary
The regex-based SVG sanitizer in phpMyFAQ (`SvgSanitizer.php`) can b
|
| 27 |
CVE-2026-2348
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-33889
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-33411
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 27 |
CVE-2026-3212
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-3215
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 27 |
CVE-2026-33303
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-33500
## Summary
The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom
|
| 27 |
CVE-2026-32612
Statamic is a Laravel and Git powered content management system (CMS). Prior to
|
| 27 |
CVE-2026-31876
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3
|
| 27 |
CVE-2026-2595
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to S
|
| 27 |
CVE-2026-2505
The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 27 |
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
|
| 27 |
CVE-2026-24351
PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. At
|
| 27 |
CVE-2026-32757
## Summary
The eCard send handler in Admidio uses the raw `$_POST['ecard_messag
|
| 27 |
CVE-2026-24350
PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authe
|
| 27 |
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-32893
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cr
|
| 27 |
CVE-2026-29598
Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_use
|
| 27 |
CVE-2026-33683
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-3369
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vul
|
| 27 |
CVE-2026-34848
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.
|
| 27 |
CVE-2026-39367
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo
|
| 27 |
CVE-2025-71240
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML
|
| 27 |
CVE-2026-33978
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to v
|
| 27 |
CVE-2026-35046
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 27 |
CVE-2026-34623
Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D
|
| 27 |
CVE-2026-31153
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows atta
|
| 27 |
CVE-2026-34212
Docmost is open-source collaborative wiki and documentation software. In version
|
| 27 |
CVE-2026-32125
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-32840
Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site
|
| 27 |
CVE-2026-27122
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:e
|
| 27 |
CVE-2026-0727
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authori
|
| 27 |
CVE-2026-22383
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes
|
| 27 |
CVE-2026-27119
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain cir
|
| 27 |
CVE-2026-1561
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphe
|
| 27 |
CVE-2026-40479
### Summary
The client-side `escapeForHtml()` function in `KimaiEscape.js`, intr
|
| 27 |
CVE-2026-27121
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 ar
|
| 27 |
CVE-2026-21724
A vulnerability has been discovered in Grafana OSS where an authorization bypass
|
| 27 |
CVE-2026-20166
In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform
|
| 27 |
CVE-2025-70060
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page
|
| 27 |
CVE-2025-36243
IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SS
|
| 27 |
CVE-2026-29105
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 27 |
CVE-2026-20114
A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE
|
| 27 |
CVE-2026-1276
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-sit
|
| 27 |
CVE-2023-40693
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2025-14504
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2025-15051
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-sit
|
| 27 |
CVE-2026-2483
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to cro
|
| 27 |
CVE-2026-0835
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.
|
| 27 |
CVE-2025-36226
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting
|
| 27 |
CVE-2026-34590
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST
|
| 27 |
CVE-2026-34584
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From
|
| 27 |
CVE-2026-34362
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-4274
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.
|
| 27 |
CVE-2026-39350
Istio is an open platform to connect, manage, and secure microservices. In versi
|
| 27 |
CVE-2026-33410
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-late
|
| 27 |
CVE-2026-1243
IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scrip
|
| 27 |
CVE-2026-1217
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modi
|
| 27 |
CVE-2026-34051
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-33251
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-32506
Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon
|
| 27 |
CVE-2026-32712
Open Source Point of Sale is a web based point-of-sale application written in PH
|
| 27 |
CVE-2026-32508
Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halste
|
| 27 |
CVE-2026-32509
Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey all
|
| 27 |
CVE-2026-32510
Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen
|
| 27 |
CVE-2025-66485
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, c
|
| 27 |
CVE-2025-36227
IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injectio
|
| 27 |
CVE-2026-28218
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 27 |
CVE-2026-27578
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.
|
| 27 |
CVE-2025-13213
IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injecti
|
| 27 |
CVE-2025-14912
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to ser
|
| 27 |
CVE-2026-1015
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to ser
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |