Total CVEs
16204
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3234
public exploits
Unpatched
4280
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-24308
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5
|
| 38 |
CVE-2025-50672
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50673
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50657
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50647
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specificall
|
| 38 |
CVE-2025-50652
An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id par
|
| 38 |
CVE-2025-50655
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50659
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50660
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50662
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50644
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50646
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insuf
|
| 38 |
CVE-2025-50648
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inade
|
| 38 |
CVE-2025-50649
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50650
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inade
|
| 38 |
CVE-2025-50654
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50663
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-33002
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (b
|
| 38 |
CVE-2026-21863
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.
|
| 38 |
CVE-2026-21720
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Grava
|
| 38 |
CVE-2025-46597
Bitcoin Core 0.13.0 through 29.x has an integer overflow.
|
| 38 |
CVE-2026-28815
A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an
|
| 38 |
CVE-2026-24363
Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms
|
| 38 |
CVE-2026-23482
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the fi
|
| 38 |
CVE-2026-25317
Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery N
|
| 38 |
CVE-2026-25949
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a p
|
| 38 |
CVE-2026-27520
Binardat 10G08-0800GSM network switch firmware versions prior to V300SP10260209
|
| 38 |
CVE-2026-30912
In case of SQL errors, exception/stack trace of errors was exposed in API even i
|
| 38 |
CVE-2026-25990
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bound
|
| 38 |
CVE-2026-20639
An integer overflow was addressed with improved input validation. This issue is
|
| 38 |
CVE-2026-25026
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiti
|
| 38 |
CVE-2025-45057
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the i
|
| 38 |
CVE-2026-20701
An access issue was addressed with additional sandbox restrictions. This issue i
|
| 38 |
CVE-2026-32284
The msgpack decoder fails to properly validate the input buffer length when proc
|
| 38 |
CVE-2026-32285
The Delete function fails to properly validate offsets when processing malformed
|
| 38 |
CVE-2025-45058
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the f
|
| 38 |
CVE-2026-32286
The DataRow.Decode function fails to properly validate field lengths. A maliciou
|
| 38 |
CVE-2025-45059
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the f
|
| 38 |
CVE-2025-58107
In Microsoft Exchange through 2019, Exchange ActiveSync (EAS) configurations on
|
| 38 |
CVE-2026-3573
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) all
|
| 38 |
CVE-2026-26999
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 an
|
| 38 |
CVE-2026-30778
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configurat
|
| 38 |
CVE-2026-25309
Missing Authorization vulnerability in PublishPress PublishPress Authors publish
|
| 38 |
CVE-2026-27073
Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se a
|
| 38 |
CVE-2025-50645
A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead
|
| 38 |
CVE-2025-56421
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote
|
| 38 |
CVE-2026-40046
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ
|
| 38 |
CVE-2026-34020
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache O
|
| 38 |
CVE-2026-32515
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows
|
| 38 |
CVE-2026-5439
A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc auto
|
| 38 |
CVE-2026-5438
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP reque
|
| 38 |
CVE-2026-32498
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-regist
|
| 38 |
CVE-2026-25396
Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooComme
|
| 38 |
CVE-2026-5087
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl gene
|
| 38 |
CVE-2026-32495
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms
|
| 38 |
CVE-2026-25401
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo
|
| 38 |
CVE-2026-32485
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend
|
| 38 |
CVE-2026-25456
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual
|
| 38 |
CVE-2026-25762
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.
|
| 38 |
CVE-2025-70873
An information disclosure issue in the zipfileInflate function in the zipfile ex
|
| 38 |
CVE-2026-23806
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPre
|
| 38 |
CVE-2026-34876
An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vuln
|
| 38 |
CVE-2026-3608
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-
|
| 38 |
CVE-2026-3932
Insufficient policy enforcement in PDF in Google Chrome on Android prior to 146.
|
| 38 |
CVE-2026-25819
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx b
|
| 38 |
CVE-2026-28479
OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache
|
| 38 |
CVE-2026-1092
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10
|
| 38 |
CVE-2026-21626
Access control settings for forum post custom fields are not applied to the JSON
|
| 38 |
CVE-2026-33174
### Impact
When serving files through Active Storage's `Blobs::ProxyController`,
|
| 38 |
CVE-2026-22727
Unprotected internal endpoints in Cloud Foundry Capi Release 1.226.0 and below,
|
| 38 |
CVE-2026-33241
## Summary
Salvo's form data parsing implementations (`form_data()` method and `
|
| 38 |
CVE-2026-28400
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models
|
| 38 |
CVE-2025-14513
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11
|
| 38 |
CVE-2025-8590
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE
|
| 38 |
CVE-2026-25650
MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation
|
| 38 |
CVE-2026-33176
### Impact
Active Support number helpers accept strings containing scientific no
|
| 38 |
CVE-2026-4708
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2026-4695
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-28855
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 38 |
CVE-2026-4704
Denial-of-service in the WebRTC: Signaling component. This vulnerability affects
|
| 38 |
CVE-2026-30946
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 38 |
CVE-2026-4697
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vul
|
| 38 |
CVE-2026-4719
Incorrect boundary conditions in the Graphics: Text component. This vulnerabilit
|
| 38 |
CVE-2026-4714
Incorrect boundary conditions in the Audio/Video component. This vulnerability a
|
| 38 |
CVE-2026-4713
Incorrect boundary conditions in the Graphics component. This vulnerability affe
|
| 38 |
CVE-2025-66598
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 38 |
CVE-2026-24783
soroban-fixed-point-math is a fixed-point math library for Soroban smart contact
|
| 38 |
CVE-2026-4525
If a Vault auth mount is configured to pass through the "Authorization" header,
|
| 38 |
CVE-2026-24684
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0
|
| 38 |
CVE-2026-32228
UI / API User with asset materialize permission could trigger dags they had no a
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |