Total CVEs
16353
last 90 days
Avg Priority
36.6
of max 220
KEV
40
actively exploited
POC
3256
public exploits
Unpatched
4690
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-5762
Allocation of resources without limits or throttling vulnerability in Wikimedia
|
| 27 |
CVE-2026-6231
The bson_validate function may return early on specific inputs and incorrectly r
|
| 27 |
CVE-2026-24347
Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allow
|
| 27 |
CVE-2026-2405
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause
|
| 27 |
CVE-2026-30876
Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo i
|
| 27 |
CVE-2026-31805
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-1782
The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation
|
| 27 |
CVE-2026-33455
Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an
|
| 27 |
CVE-2026-33759
## Summary
The `objects/playlistsVideos.json.php` endpoint returns the full vid
|
| 27 |
CVE-2026-33457
Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26
|
| 27 |
CVE-2026-1978
A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this iss
|
| 27 |
CVE-2026-35620
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the
|
| 27 |
CVE-2026-33300
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-32620
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-26945
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.1
|
| 27 |
CVE-2026-32143
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-33705
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template fil
|
| 27 |
CVE-2025-55704
Hidden functionality issue exists in multiple MFPs provided by Brother Industrie
|
| 27 |
CVE-2026-28675
OpenSift is an AI study tool that sifts through large datasets using semantic se
|
| 27 |
CVE-2026-1371
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2026-0944
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Gro
|
| 27 |
CVE-2026-33766
## Summary
`isSSRFSafeURL()` validates URLs against private/reserved IP ranges
|
| 27 |
CVE-2026-23488
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /a
|
| 27 |
CVE-2025-66605
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-25019
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collabora
|
| 27 |
CVE-2025-13113
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensiti
|
| 27 |
CVE-2025-7630
Improper Restriction of Excessive Authentication Attempts, Improper Authenticati
|
| 27 |
CVE-2026-25010
Missing Authorization vulnerability in ILLID Share This Image share-this-image a
|
| 27 |
CVE-2026-24548
Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-pl
|
| 27 |
CVE-2026-4985
A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability af
|
| 27 |
CVE-2026-20673
A logic issue was addressed with improved checks. This issue is fixed in macOS S
|
| 27 |
CVE-2026-32586
Missing Authorization vulnerability in Pluggabl Booster for WooCommerce allows E
|
| 27 |
CVE-2026-24625
Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon fo
|
| 27 |
CVE-2026-31901
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-24619
Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool
|
| 27 |
CVE-2026-22445
Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo all
|
| 27 |
CVE-2026-24615
Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine a
|
| 27 |
CVE-2026-24613
Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Ca
|
| 27 |
CVE-2026-24612
Missing Authorization vulnerability in themebeez Orchid Store orchid-store allow
|
| 27 |
CVE-2026-24607
Missing Authorization vulnerability in wptravelengine Travel Monster travel-mons
|
| 27 |
CVE-2026-24606
Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcas
|
| 27 |
CVE-2026-27448
If a user provided callback to `set_tlsext_servername_callback` raised an unhand
|
| 27 |
CVE-2026-24541
Missing Authorization vulnerability in mkscripts Download After Email download-a
|
| 27 |
CVE-2026-22348
Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cook
|
| 27 |
CVE-2026-0909
The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Refere
|
| 27 |
CVE-2026-33192
**Impact**
This is an Improper Error Handling vulnerability with Information E
|
| 27 |
CVE-2026-3550
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all
|
| 27 |
CVE-2026-24583
Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommer
|
| 27 |
CVE-2026-24577
Missing Authorization vulnerability in Genetech Products Pie Register pie-regist
|
| 27 |
CVE-2026-24568
Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Expl
|
| 27 |
CVE-2026-30859
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 27 |
CVE-2026-24556
Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Ex
|
| 27 |
CVE-2026-24991
Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Ext
|
| 27 |
CVE-2026-24997
Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Manag
|
| 27 |
CVE-2026-24967
Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows
|
| 27 |
CVE-2026-24945
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form
|
| 27 |
CVE-2026-24982
Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-
|
| 27 |
CVE-2023-38010
IBM Cloud Pak System displays sensitive information in user messages that could
|
| 27 |
CVE-2026-24366
Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote
|
| 27 |
CVE-2026-25012
Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pr
|
| 27 |
CVE-2026-24994
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sun
|
| 27 |
CVE-2026-23486
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publ
|
| 27 |
CVE-2026-25987
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-23623
Collabora Online is a collaborative online office suite based on LibreOffice tec
|
| 27 |
CVE-2025-14608
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct
|
| 27 |
CVE-2026-24634
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ult
|
| 27 |
CVE-2026-1833
The WaMate Confirm - Order Confirmation plugin for WordPress is vulnerable to un
|
| 27 |
CVE-2026-24633
Missing Authorization vulnerability in Passionate Brains Add Expires Headers & O
|
| 27 |
CVE-2026-24992
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Adv
|
| 27 |
CVE-2026-24998
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-25023
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-4751
NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmat
|
| 27 |
CVE-2026-4733
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixra
|
| 27 |
CVE-2026-28360
NocoDB is software for building databases as spreadsheets. Prior to version 0.30
|
| 27 |
CVE-2026-34069
### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` messag
|
| 27 |
CVE-2026-3460
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direc
|
| 27 |
CVE-2026-33899
When `Magick` parses an XML file it is possible that a single zero byte is writt
|
| 27 |
CVE-2026-27859
A mail message containing excessive amount of RFC 2231 MIME parameters causes LM
|
| 27 |
CVE-2026-33481
### Impact
Syft versions before v1.42.3 would not properly cleanup temporary sto
|
| 27 |
CVE-2026-26196
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs ap
|
| 27 |
CVE-2026-28471
OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed
|
| 27 |
CVE-2026-32867
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to
|
| 27 |
CVE-2026-28687
ImageMagick is free and open-source software used for editing and manipulating d
|
| 27 |
CVE-2026-24557
Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions
|
| 27 |
CVE-2025-13212
IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to caus
|
| 27 |
CVE-2025-14067
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access
|
| 27 |
CVE-2026-29775
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0
|
| 27 |
CVE-2026-29774
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0
|
| 27 |
CVE-2025-14831
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS)
|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |