Total CVEs
16140
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3230
public exploits
Unpatched
4262
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-34240
JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to vers
|
| 38 |
CVE-2026-5050
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulner
|
| 38 |
CVE-2026-35242
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp
|
| 38 |
CVE-2026-25563
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR)
|
| 38 |
CVE-2025-15576
If two sibling jails are restricted to separate filesystem trees, which is to sa
|
| 38 |
CVE-2026-32838
Edimax GS-5008PL firmware version 1.00.54 and prior use cleartext HTTP for the w
|
| 38 |
CVE-2026-30332
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena E
|
| 38 |
CVE-2026-22565
An Improper Input Validation vulnerability could allow a malicious actor with ac
|
| 38 |
CVE-2026-22566
An Improper Access Control vulnerability could allow a malicious actor with acce
|
| 38 |
CVE-2026-25564
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR)
|
| 38 |
CVE-2026-25561
WeKan versions prior to 8.19 contain an authorization weakness in the attachment
|
| 38 |
CVE-2026-4247
When a challenge ACK is to be sent tcp_respond() constructs and sends the challe
|
| 38 |
CVE-2026-35467
The stored API keys in temporary browser client is not marked as protected allow
|
| 38 |
CVE-2025-40537
SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials
|
| 38 |
CVE-2026-33266
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The r
|
| 38 |
CVE-2026-22998
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: f
|
| 38 |
CVE-2025-12774
A vulnerability in the migration script for Brocade SANnav before 3.0 could allo
|
| 38 |
CVE-2025-50671
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50670
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50664
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-50666
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-34486
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the f
|
| 38 |
CVE-2026-4694
Incorrect boundary conditions, integer overflow in the Graphics component. This
|
| 38 |
CVE-2025-50661
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2025-14769
In some cases, the `tcp-setmss` handler may free the packet data and throw an er
|
| 38 |
CVE-2025-50665
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to impro
|
| 38 |
CVE-2026-32280
During chain building, the amount of work that is done is not correctly limited
|
| 38 |
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handsh
|
| 38 |
CVE-2026-32281
Validating certificate chains which use policies is unexpectedly inefficient whe
|
| 38 |
CVE-2026-29645
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-va
|
| 38 |
CVE-2026-4726
Denial-of-service in the XML component. This vulnerability affects Firefox < 149
|
| 38 |
CVE-2026-31317
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) wh
|
| 38 |
CVE-2026-4727
Denial-of-service in the Libraries component in NSS. This vulnerability affects
|
| 38 |
CVE-2026-33697
Cocos AI is a confidential computing system for AI. The current implementation o
|
| 38 |
CVE-2026-34063
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior
|
| 38 |
CVE-2026-30762
Summary:
The file lightrag/api/config.py (line 397) uses a default JWT secret "l
|
| 38 |
CVE-2026-35172
## summary:
distribution can restore read access in `repo a` after an explicit d
|
| 38 |
CVE-2026-41066
### Impact
Using either of the two parsers in the default configuration (with `r
|
| 38 |
CVE-2026-41231
Froxlor is open source server administration software. Prior to version 2.3.6, `
|
| 38 |
CVE-2026-3621
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphe
|
| 38 |
CVE-2026-6857
A flaw was found in camel-infinispan. This vulnerability involves unsafe deseria
|
| 38 |
CVE-2026-39111
SQL Injection vulnerability in Apartment Visitors Management System Apartment Vi
|
| 38 |
CVE-2026-3104
A specially crafted domain can be used to cause a memory leak in a BIND resolver
|
| 38 |
CVE-2026-34065
### Impact
An untrusted p2p peer can cause a node to panic by announcing an elec
|
| 38 |
CVE-2026-34986
### Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the `alg
|
| 38 |
CVE-2026-6507
A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds wr
|
| 38 |
CVE-2026-35209
### Impact
Applications that pass unsanitized user input (e.g. parsed JSON requ
|
| 38 |
CVE-2026-23869
A denial of service vulnerability exists in React Server Components, affecting t
|
| 38 |
CVE-2026-32066
OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in th
|
| 38 |
CVE-2026-41640
## Summary
The `queryParentSQL()` function in the core database package constru
|
| 38 |
CVE-2026-33593
A client can trigger a divide by zero error leading to crash by sending a crafte
|
| 37 |
CVE-2026-0522
A local file inclusion vulnerability in the upload/download flow of the VertiGIS
|
| 37 |
CVE-2026-39866
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f5
|
| 37 |
CVE-2026-3690
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows r
|
| 37 |
CVE-2026-3973
A vulnerability was determined in Tenda W3 1.0.0.3(2204). This affects the funct
|
| 37 |
CVE-2026-3976
A weakness has been identified in Tenda W3 1.0.0.3(2204). Impacted is the functi
|
| 37 |
CVE-2026-4008
A flaw has been found in Tenda W3 1.0.0.3(2204). This issue affects some unknown
|
| 37 |
CVE-2026-3971
A vulnerability has been found in Tenda i3 1.0.0.6(2204). Affected by this vulne
|
| 37 |
CVE-2026-27981
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authen
|
| 37 |
CVE-2025-69419
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
craft
|
| 37 |
CVE-2026-22264
Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14
|
| 37 |
CVE-2026-28791
Tina is a headless content management system. Prior to 2.1.7, a path traversal v
|
| 37 |
CVE-2026-25968
ImageMagick is free and open-source software used for editing and manipulating d
|
| 37 |
CVE-2026-32631
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 d
|
| 37 |
CVE-2026-25967
ImageMagick is free and open-source software used for editing and manipulating d
|
| 37 |
CVE-2025-12345
A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a
|
| 37 |
CVE-2026-3278
Improper neutralization of input during web page generation ('cross-site scripti
|
| 37 |
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 37 |
CVE-2026-3975
A security flaw has been discovered in Tenda W3 1.0.0.3(2204). This issue affect
|
| 37 |
CVE-2026-4974
A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the fu
|
| 37 |
CVE-2026-4975
A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the funct
|
| 37 |
CVE-2026-5988
A vulnerability was detected in Tenda F451 1.0.0.7. This impacts the function fo
|
| 37 |
CVE-2026-6137
A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected elem
|
| 37 |
CVE-2026-4007
A vulnerability was detected in Tenda W3 1.0.0.3(2204). This vulnerability affec
|
| 37 |
CVE-2026-5992
A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function
|
| 37 |
CVE-2026-5991
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the f
|
| 37 |
CVE-2026-4041
A security flaw has been discovered in Tenda i12 1.0.0.6(2204). Impacted is the
|
| 37 |
CVE-2026-5990
A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this vulnerabi
|
| 37 |
CVE-2026-3970
A flaw has been found in Tenda i3 1.0.0.6(2204). Affected is the function formwr
|
| 37 |
CVE-2026-3974
A vulnerability was identified in Tenda W3 1.0.0.3(2204). This vulnerability aff
|
| 37 |
CVE-2026-4042
A weakness has been identified in Tenda i12 1.0.0.6(2204). The affected element
|
| 37 |
CVE-2026-4043
A security vulnerability has been detected in Tenda i12 1.0.0.6(2204). The impac
|
| 37 |
CVE-2026-5983
A vulnerability was determined in D-Link DIR-605L 2.13B01. This issue affects th
|
| 37 |
CVE-2026-5980
A flaw has been found in D-Link DIR-605L 2.13B01. Affected by this issue is the
|
| 37 |
CVE-2026-32156
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an u
|
| 37 |
CVE-2026-5629
A vulnerability was detected in Belkin F9K1015 1.00.10. The affected element is
|
| 37 |
CVE-2026-33804
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass w
|
| 37 |
CVE-2026-33667
OpenProject is an open-source project management application. In versions prior
|
| 37 |
CVE-2026-33131
# H3 NodeRequestUrl bugs
Vulnerable pieces of code :
```js
import { H3, serve
|
| 37 |
CVE-2026-24052
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code con
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |