Total CVEs
16344
last 90 days
Avg Priority
36.7
of max 220
KEV
41
actively exploited
POC
3306
public exploits
Unpatched
4713
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2025-45160
A HTML injection vulnerability exists in the file upload functionality of Cacti
|
| 27 |
CVE-2026-24587
Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts W
|
| 27 |
CVE-2026-24601
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 27 |
CVE-2026-25028
Missing Authorization vulnerability in Element Invader ElementInvader Addons for
|
| 27 |
CVE-2026-25574
Payload is a free and open source headless content management system. Prior to 3
|
| 27 |
CVE-2026-24591
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 27 |
CVE-2026-3591
A use-after-return vulnerability exists in the `named` server when handling DNS
|
| 27 |
CVE-2026-24433
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) c
|
| 27 |
CVE-2026-22881
Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5
|
| 27 |
CVE-2026-25566
WeKan versions prior to 8.19 contain an authorization vulnerability in card move
|
| 27 |
CVE-2026-1251
The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPres
|
| 27 |
CVE-2026-24576
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 27 |
CVE-2026-24600
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 27 |
CVE-2026-25935
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.v
|
| 27 |
CVE-2025-70033
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page
|
| 27 |
CVE-2026-0632
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Si
|
| 27 |
CVE-2026-27792
Seerr is an open-source media request and discovery manager for Jellyfin, Plex,
|
| 27 |
CVE-2025-69693
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60de
|
| 27 |
CVE-2026-5363
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (u
|
| 27 |
CVE-2026-23568
An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Clie
|
| 27 |
CVE-2025-14778
A flaw was found in Keycloak. A significant Broken Access Control vulnerability
|
| 27 |
CVE-2026-34247
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-40483
ChurchCRM is an open-source church management system. In versions prior to 7.2.0
|
| 27 |
CVE-2026-39634
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio gr
|
| 27 |
CVE-2026-39710
Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensio
|
| 27 |
CVE-2026-32328
Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony
|
| 27 |
CVE-2026-32420
Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipr
|
| 27 |
CVE-2026-39603
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography
|
| 27 |
CVE-2026-26270
InvoicePlane is a self-hosted open source application for managing invoices, cli
|
| 27 |
CVE-2026-39635
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine gra
|
| 27 |
CVE-2026-1447
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery i
|
| 27 |
CVE-2026-33726
### Impact
Ingress [Network Policies](https://docs.cilium.io/en/stable/network/
|
| 27 |
CVE-2026-22483
Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress
|
| 27 |
CVE-2026-3063
Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.11
|
| 27 |
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-sit
|
| 27 |
CVE-2026-1880
An Incorrect Permission Assignment for Critical Resource vulnerability in the AS
|
| 27 |
CVE-2025-32092
Insecure inherited permissions for some Intel(R) Graphics Software before versio
|
| 27 |
CVE-2026-23601
A vulnerability has been identified in the wireless encryption handling of Wi-Fi
|
| 27 |
CVE-2025-32453
Incorrect default permissions for some Intel(R) Graphics Driver software within
|
| 27 |
CVE-2026-3428
A Download of Code Without Integrity Check vulnerability in the update modules i
|
| 27 |
CVE-2026-39112
Cross Site Scripting vulnerability in Apartment Visitors Management System Apart
|
| 27 |
CVE-2026-40320
## Summary
The `ConformityCheck` class in `giskard-checks` rendered the `rule`
|
| 27 |
CVE-2026-0811
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site
|
| 27 |
CVE-2026-4465
A flaw has been found in D-Link DIR-513 1.10. The impacted element is an unknown
|
| 27 |
CVE-2026-35052
### Impact
Users hosting D-Tale publicly while using a redis or shelf storage la
|
| 27 |
CVE-2026-21310
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 27 |
CVE-2025-10753
The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable
|
| 27 |
CVE-2025-14461
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order stat
|
| 27 |
CVE-2026-1305
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Aut
|
| 27 |
CVE-2026-3964
A weakness has been identified in OpenAkita up to 1.24.3. This impacts the funct
|
| 27 |
CVE-2026-4281
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Mi
|
| 27 |
CVE-2026-5528
A security vulnerability has been detected in MoussaabBadla code-screenshot-mcp
|
| 27 |
CVE-2026-20995
Exposure of sensitive functionality to an unauthorized actor in Smart Switch pri
|
| 27 |
CVE-2026-20997
Improper verification of cryptographic signature in Smart Switch prior to versio
|
| 27 |
CVE-2026-3959
A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38
|
| 27 |
CVE-2026-4198
A vulnerability was determined in hypermodel-labs mcp-server-auto-commit 1.0.0.
|
| 27 |
CVE-2026-21282
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 27 |
CVE-2026-1391
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross
|
| 27 |
CVE-2026-3646
The LTL Freight Quotes - R+L Carriers Edition plugin for WordPress is vulnerable
|
| 27 |
CVE-2026-4664
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authe
|
| 27 |
CVE-2026-32702
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in
|
| 27 |
CVE-2026-25798
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-20080
A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compu
|
| 27 |
CVE-2026-2681
A flaw was found in the blst cryptographic library. This out-of-bounds stack wri
|
| 27 |
CVE-2026-3594
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Inf
|
| 27 |
CVE-2026-33672
### Impact
picomatch is vulnerable to a **method injection vulnerability (CWE-13
|
| 27 |
CVE-2025-59060
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClien
|
| 27 |
CVE-2026-20031
A vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV could
|
| 27 |
CVE-2026-23903
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This iss
|
| 27 |
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulne
|
| 27 |
CVE-2025-14629
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized med
|
| 27 |
CVE-2025-64074
A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong
|
| 27 |
CVE-2026-0950
The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for W
|
| 27 |
CVE-2025-13864
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2025-14294
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized
|
| 27 |
CVE-2026-1036
The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress
|
| 27 |
CVE-2026-1926
The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthor
|
| 27 |
CVE-2026-3335
The Canto plugin for WordPress is vulnerable to Missing Authorization in all ver
|
| 27 |
CVE-2026-28428
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an auth
|
| 27 |
CVE-2025-15511
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification
|
| 27 |
CVE-2026-25185
Exposure of sensitive information to an unauthorized actor in Windows Shell Link
|
| 27 |
CVE-2026-25509
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 27 |
CVE-2026-2100
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability
|
| 27 |
CVE-2025-10731
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 27 |
CVE-2025-59028
When sending invalid base64 SASL data, login process is disconnected from the au
|
| 27 |
CVE-2026-1310
The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing
|
| 27 |
CVE-2026-24004
Fleet is open source device management software. In versions prior to 4.80.1, a
|
| 27 |
CVE-2026-39415
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2026-33888
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-1054
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorizatio
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |