Total CVEs
16349
last 90 days
Avg Priority
36.7
of max 220
KEV
41
actively exploited
POC
3306
public exploits
Unpatched
4713
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-3781
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via t
|
| 27 |
CVE-2026-1015
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to ser
|
| 27 |
CVE-2026-28556
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows a
|
| 27 |
CVE-2025-13734
IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an a
|
| 27 |
CVE-2026-21011
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr
|
| 27 |
CVE-2026-33887
### Impact
Authenticated Control Panel users could view entry revisions for any
|
| 27 |
CVE-2026-33305
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-4401
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Fo
|
| 27 |
CVE-2025-67855
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-S
|
| 27 |
CVE-2026-33915
OpenEMR is a free and open source electronic health records and medical practice
|
| 27 |
CVE-2026-2322
Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.
|
| 27 |
CVE-2026-4056
The User Registration & Membership plugin for WordPress is vulnerable to unautho
|
| 27 |
CVE-2026-34749
Payload is a free and open source headless content management system. Prior to v
|
| 27 |
CVE-2025-70936
Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability i
|
| 27 |
CVE-2026-31352
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Man
|
| 27 |
CVE-2026-31313
An authenticated stored cross-site scripting (XSS) vulnerability in the creation
|
| 27 |
CVE-2026-31350
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2
|
| 27 |
CVE-2026-20643
A cross-origin issue in the Navigation API was addressed with improved input val
|
| 27 |
CVE-2026-31353
An authenticated stored cross-site scripting (XSS) vulnerability in the Category
|
| 27 |
CVE-2026-27977
## Summary
In `next dev`, cross-site protection for internal websocket endpoints
|
| 27 |
CVE-2025-63260
SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-
|
| 27 |
CVE-2026-22382
Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pe
|
| 27 |
CVE-2026-24986
Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership
|
| 27 |
CVE-2026-25024
Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffilia
|
| 27 |
CVE-2025-70365
A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due
|
| 27 |
CVE-2026-32373
Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications
|
| 27 |
CVE-2026-39526
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStr
|
| 27 |
CVE-2026-30964
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundl
|
| 27 |
CVE-2026-39607
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exp
|
| 27 |
CVE-2026-39614
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player
|
| 27 |
CVE-2026-39504
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect a
|
| 27 |
CVE-2026-32385
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-regist
|
| 27 |
CVE-2026-32386
Missing Authorization vulnerability in EnvoThemes Envo Extra envo-extra allows E
|
| 27 |
CVE-2026-32388
Missing Authorization vulnerability in linethemes GLB glb allows Exploiting Inco
|
| 27 |
CVE-2026-32390
Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Explo
|
| 27 |
CVE-2026-32391
Missing Authorization vulnerability in linethemes SmartFix smartfix allows Explo
|
| 27 |
CVE-2026-39695
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allo
|
| 27 |
CVE-2026-39647
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for
|
| 27 |
CVE-2024-46878
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-
|
| 27 |
CVE-2024-46879
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request
|
| 27 |
CVE-2026-33372
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-sit
|
| 27 |
CVE-2026-39645
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPaymen
|
| 27 |
CVE-2026-32412
Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards
|
| 27 |
CVE-2026-40740
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting
|
| 27 |
CVE-2026-32416
Missing Authorization vulnerability in bPlugins PDF Poster pdf-poster allows Exp
|
| 27 |
CVE-2026-24069
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user ac
|
| 27 |
CVE-2026-32417
Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiti
|
| 27 |
CVE-2026-4332
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 bef
|
| 27 |
CVE-2026-32423
Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) ad
|
| 27 |
CVE-2026-25337
Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify
|
| 27 |
CVE-2026-25322
Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Rev
|
| 27 |
CVE-2025-66595
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-32709
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An u
|
| 27 |
CVE-2026-33295
### Summary
WWBN/AVideo contains a stored cross-site scripting vulnerability in
|
| 27 |
CVE-2026-24365
Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for W
|
| 27 |
CVE-2026-24374
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic c
|
| 27 |
CVE-2026-24384
Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Min
|
| 27 |
CVE-2026-27050
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress
|
| 27 |
CVE-2025-67856
A flaw was found in Moodle. An authorization logic flaw, specifically due to inc
|
| 27 |
CVE-2026-25422
Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra pop
|
| 27 |
CVE-2026-26075
FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web pag
|
| 27 |
CVE-2026-35207
dde-control-center is the control panel of DDE, the Deepin Desktop Environment.
|
| 27 |
CVE-2026-1429
Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site
|
| 27 |
CVE-2026-29061
Gokapi is a self-hosted file sharing server with automatic expiration and encryp
|
| 27 |
CVE-2026-30948
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-31354
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the
|
| 27 |
CVE-2026-4364
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-23809
A technique has been identified that adapts a known port-stealing method to Wi-F
|
| 27 |
CVE-2021-47920
WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search p
|
| 27 |
CVE-2026-34777
### Impact
When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`,
|
| 27 |
CVE-2026-25604
In AWS Auth manager, the origin of the SAML authentication has been used as prov
|
| 27 |
CVE-2026-1636
A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge th
|
| 27 |
CVE-2025-56605
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php
|
| 27 |
CVE-2026-24050
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some a
|
| 27 |
CVE-2025-63743
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management sy
|
| 27 |
CVE-2025-69848
NetBox is an open-source infrastructure resource modeling and IP address managem
|
| 27 |
CVE-2026-40948
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did n
|
| 27 |
CVE-2025-14282
A flaw was found in Dropbear. When running in multi-user mode and authenticating
|
| 27 |
CVE-2025-12575
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 bef
|
| 27 |
CVE-2026-1312
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4
|
| 27 |
CVE-2026-1287
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4
|
| 27 |
CVE-2026-21393
Movable Type contains a stored cross-site scripting vulnerability in Edit Commen
|
| 27 |
CVE-2026-22875
Movable Type contains a stored cross-site scripting vulnerability in Export Site
|
| 27 |
CVE-2026-30927
Admidio is an open-source user management solution. Prior to 5.0.6, in modules/e
|
| 27 |
CVE-2026-25051
n8n is an open source workflow automation platform. Prior to version 1.123.2, a
|
| 27 |
CVE-2026-25054
n8n is an open source workflow automation platform. Prior to versions 1.123.9 an
|
| 27 |
CVE-2025-45160
A HTML injection vulnerability exists in the file upload functionality of Cacti
|
| 27 |
CVE-2026-3191
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery
|
| 27 |
CVE-2026-35603
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, C
|
| 27 |
CVE-2025-14895
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all v
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2306d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2119d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |