Total CVEs
16317
last 90 days
Avg Priority
36.6
of max 220
KEV
40
actively exploited
POC
3255
public exploits
Unpatched
4680
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-28132
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2025-12074
The Context Blog theme for WordPress is vulnerable to Information Exposure in al
|
| 27 |
CVE-2026-25006
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2025-13980
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal
|
| 27 |
CVE-2026-21286
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 27 |
CVE-2025-13973
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensi
|
| 27 |
CVE-2026-22422
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-2207
A weakness has been identified in WeKan up to 8.20. This issue affects some unkn
|
| 27 |
CVE-2026-25969
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-25970
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-28351
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4,
|
| 27 |
CVE-2026-27610
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In ver
|
| 27 |
CVE-2026-25988
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2025-14609
The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization i
|
| 27 |
CVE-2026-25348
Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai
|
| 27 |
CVE-2026-25336
Missing Authorization vulnerability in wpcoachify Coachify coachify allows Explo
|
| 27 |
CVE-2025-69325
Path Traversal: '.../...//' vulnerability in primersoftware Primer MyData for Wo
|
| 27 |
CVE-2025-15563
Any unauthenticated user can reset the WorkTime on-prem database configuration b
|
| 27 |
CVE-2024-39724
IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5
|
| 27 |
CVE-2026-1060
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Expo
|
| 27 |
CVE-2026-25637
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-24484
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-2888
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypa
|
| 27 |
CVE-2025-52023
A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allo
|
| 27 |
CVE-2026-33425
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-39851
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.
|
| 27 |
CVE-2026-1980
The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure
|
| 27 |
CVE-2026-34736
Open edX Platform enables the authoring and delivery of online learning at any s
|
| 27 |
CVE-2025-41728
A low privileged remote attacker may be able to disclose confidential informatio
|
| 27 |
CVE-2026-35483
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35484
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language
|
| 27 |
CVE-2026-40086
Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal v
|
| 27 |
CVE-2026-29069
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-bet
|
| 27 |
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementatio
|
| 27 |
CVE-2026-24321
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allo
|
| 27 |
CVE-2026-23831
Rekor is a software supply chain transparency log. In versions 1.4.3 and below,
|
| 27 |
CVE-2026-40152
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files()
|
| 27 |
CVE-2026-32921
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run
|
| 27 |
CVE-2026-34425
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass
|
| 27 |
CVE-2026-6675
The Responsive Blocks - Page Builder for Blocks & Patterns plugin for WordPress
|
| 27 |
CVE-2026-1537
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 27 |
CVE-2026-30878
baserCMS is a website development framework. Prior to version 5.2.3, a public ma
|
| 27 |
CVE-2026-34718
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-39400
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-35608
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored X
|
| 27 |
CVE-2025-12518
beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in
|
| 27 |
CVE-2026-33936
## Summary
An issue in the low-level DER parsing functions can cause unexpected
|
| 27 |
CVE-2025-69241
Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in
|
| 27 |
CVE-2025-13842
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass
|
| 27 |
CVE-2026-35390
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior
|
| 27 |
CVE-2026-32243
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-27021
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 27 |
CVE-2026-35166
### Impact
Links and image links in the default markdown to HTML renderer are no
|
| 27 |
CVE-2026-2400
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerabilit
|
| 27 |
CVE-2026-4649
Apache Artemis before version 2.52.0 is affected by an authentication bypass fla
|
| 27 |
CVE-2026-32305
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below,
|
| 27 |
CVE-2026-26983
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-40100
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/
|
| 27 |
CVE-2026-30938
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-3475
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated
|
| 27 |
CVE-2026-3419
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing
|
| 27 |
CVE-2026-28804
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5,
|
| 27 |
CVE-2026-34574
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 27 |
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-33763
## Summary
The `get_api_video_password_is_correct` API endpoint allows any unau
|
| 27 |
CVE-2026-31808
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a d
|
| 27 |
CVE-2026-33761
## Summary
Three `list.json.php` endpoints in the Scheduler plugin lack any aut
|
| 27 |
CVE-2026-40347
### Summary
A denial of service vulnerability exists when parsing crafted `mult
|
| 27 |
CVE-2026-24299
Improper neutralization of special elements used in a command ('command injectio
|
| 27 |
CVE-2026-1725
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 befo
|
| 27 |
CVE-2025-52022
A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28
|
| 27 |
CVE-2023-38265
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could discl
|
| 27 |
CVE-2026-0394
When dovecot has been configured to use per-domain passwd files, and they are pl
|
| 27 |
CVE-2025-13985
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Bro
|
| 27 |
CVE-2025-13822
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some end
|
| 27 |
CVE-2026-3645
The Punnel - Landing Page Builder plugin for WordPress is vulnerable to Missing
|
| 27 |
CVE-2026-24347
Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allow
|
| 27 |
CVE-2026-33300
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-1978
A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this iss
|
| 27 |
CVE-2026-32143
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-1782
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation
|
| 27 |
CVE-2026-33457
Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26
|
| 27 |
CVE-2026-32620
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33705
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template fil
|
| 27 |
CVE-2026-2405
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause
|
| 27 |
CVE-2026-6231
The bson_validate function may return early on specific inputs and incorrectly r
|
| 27 |
CVE-2026-31805
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |