Total CVEs
16362
last 90 days
Avg Priority
36.7
of max 220
KEV
41
actively exploited
POC
3306
public exploits
Unpatched
4712
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2025-59028
When sending invalid base64 SASL data, login process is disconnected from the au
|
| 27 |
CVE-2026-1310
The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing
|
| 27 |
CVE-2026-24004
Fleet is open source device management software. In versions prior to 4.80.1, a
|
| 27 |
CVE-2026-39415
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2026-33888
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-1054
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorizatio
|
| 27 |
CVE-2026-29137
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide s
|
| 27 |
CVE-2026-29135
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft
|
| 27 |
CVE-2026-2403
CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists
|
| 27 |
CVE-2025-10461
Global file reads caused by improper URL checks in webserver in Softing Industri
|
| 27 |
CVE-2026-29133
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload
|
| 27 |
CVE-2026-35038
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 27 |
CVE-2026-3570
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access
|
| 27 |
CVE-2026-25771
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 27 |
CVE-2026-25878
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Ad
|
| 27 |
CVE-2026-3731
A weakness has been identified in libssh up to 0.11.3. The impacted element is t
|
| 27 |
CVE-2026-2442
The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress
|
| 27 |
CVE-2026-22796
Issue summary: A type confusion vulnerability exists in the signature
verificati
|
| 27 |
CVE-2026-25597
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.
|
| 27 |
CVE-2026-1656
The Business Directory Plugin for WordPress is vulnerable to authorization bypas
|
| 27 |
CVE-2026-30885
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playli
|
| 27 |
CVE-2026-3651
The Build App Online plugin for WordPress is vulnerable to unauthorized access i
|
| 27 |
CVE-2026-3641
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in al
|
| 27 |
CVE-2026-29134
SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to m
|
| 27 |
CVE-2026-30833
Rocket.Chat is an open-source, secure, fully customizable communications platfor
|
| 27 |
CVE-2026-25983
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-33721
MapServer is a system for developing web-based GIS applications. Starting in ver
|
| 27 |
CVE-2026-20152
A vulnerability in the authentication service feature of Cisco AsyncOS Software
|
| 27 |
CVE-2026-5234
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Refer
|
| 27 |
CVE-2025-12500
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPre
|
| 27 |
CVE-2026-1657
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upl
|
| 27 |
CVE-2026-39941
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vul
|
| 27 |
CVE-2026-32881
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0
|
| 27 |
CVE-2026-1944
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthor
|
| 27 |
CVE-2026-0825
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress i
|
| 27 |
CVE-2025-68663
Outline is a service that allows for collaborative documentation. Prior to 1.1.0
|
| 27 |
CVE-2026-40922
SiYuan is an open-source personal knowledge management system. In versions 3.6.1
|
| 27 |
CVE-2026-27199
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and bel
|
| 27 |
CVE-2026-34523
### Summary
A path traversal vulnerability in the static file route handler all
|
| 27 |
CVE-2025-13079
The Popup Builder - Create highly converting, mobile friendly marketing popups.
|
| 27 |
CVE-2026-3595
The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization
|
| 27 |
CVE-2026-1558
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Obj
|
| 27 |
CVE-2026-33501
## Summary
The endpoint `plugin/Permissions/View/Users_groups_permissions/list.
|
| 27 |
CVE-2026-1722
The WCFM Marketplace - Multivendor Marketplace for WooCommerce plugin for WordPr
|
| 27 |
CVE-2026-23990
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of C
|
| 27 |
CVE-2025-14938
The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary
|
| 27 |
CVE-2026-33638
## Summary
`GET /api/allusers` is mounted as a public endpoint and returns user
|
| 27 |
CVE-2026-29794
### Summary
Unauthenticated users are able to bypass the application's built-in
|
| 27 |
CVE-2026-2861
A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an
|
| 27 |
CVE-2025-6792
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2026-28559
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows
|
| 27 |
CVE-2026-35208
lichess.org is the forever free, adless and open source chess server. Any approv
|
| 27 |
CVE-2026-32984
Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers
|
| 27 |
CVE-2026-3691
OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnera
|
| 27 |
CVE-2026-39424
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below
|
| 27 |
CVE-2026-35040
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, usin
|
| 27 |
CVE-2024-34438
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.T
|
| 27 |
CVE-2026-5167
The Masteriyo LMS - Online Course Builder for eLearning, LMS & Education plugin
|
| 27 |
CVE-2025-6208
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suff
|
| 27 |
CVE-2026-25907
Dell PowerScale OneFS, version 9.13.0.0, contains an overly restrictive account
|
| 27 |
CVE-2026-2443
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based syst
|
| 27 |
CVE-2025-48840
An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 th
|
| 27 |
CVE-2025-15542
Improper handling of exceptional conditions in VX800v v1.0 in SIP processing all
|
| 27 |
CVE-2026-1336
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is
|
| 27 |
CVE-2026-23961
Mastodon is a free, open-source social network server based on ActivityPub. Mast
|
| 27 |
CVE-2026-23485
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the fi
|
| 27 |
CVE-2023-37525
A sensitive information disclosure in HCL BigFix Compliance allows a remote atta
|
| 27 |
CVE-2026-33219
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 27 |
CVE-2025-13930
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPre
|
| 27 |
CVE-2026-33685
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-40252
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Cont
|
| 27 |
CVE-2026-31821
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/o
|
| 27 |
CVE-2026-3719
A vulnerability was identified in Tsinghua Unigroup Electronic Archives System 3
|
| 27 |
CVE-2026-4531
A weakness has been identified in Free5GC 4.1.0. Affected is the function Handle
|
| 27 |
CVE-2026-33995
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 27 |
CVE-2026-20106
A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functional
|
| 27 |
CVE-2026-4240
A vulnerability was determined in Open5GS up to 2.7.6. The affected element is t
|
| 27 |
CVE-2025-14843
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthen
|
| 27 |
CVE-2026-25795
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2025-69001
Improper Control of Generation of Code ('Code Injection') vulnerability in Shahj
|
| 27 |
CVE-2026-25986
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25799
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-33132
### Summary
A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed u
|
| 27 |
CVE-2025-15482
The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnera
|
| 27 |
CVE-2026-25796
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-3506
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization
|
| 27 |
CVE-2026-25123
Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated)
|
| 27 |
CVE-2026-25638
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-26271
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 27 |
CVE-2025-13980
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1733d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2236d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1006d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 908d |