Total CVEs
16348
last 90 days
Avg Priority
36.7
of max 220
KEV
40
actively exploited
POC
3247
public exploits
Unpatched
4700
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-32867
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to
|
| 27 |
CVE-2026-35468
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 27 |
CVE-2026-39886
OpenEXR provides the specification and reference implementation of the EXR file
|
| 27 |
CVE-2025-14831
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS)
|
| 27 |
CVE-2026-24992
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Adv
|
| 27 |
CVE-2026-26196
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs ap
|
| 27 |
CVE-2026-39401
Cronicle is a multi-server task scheduler and runner, with a web based front-end
|
| 27 |
CVE-2026-34837
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-35023
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct obj
|
| 27 |
CVE-2026-2263
The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPre
|
| 27 |
CVE-2026-35578
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in
|
| 27 |
CVE-2026-39406
## Summary
A path handling inconsistency in `serveStatic` allows protected stat
|
| 27 |
CVE-2026-32615
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-2233
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Members
|
| 27 |
CVE-2025-14079
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is
|
| 27 |
CVE-2026-39346
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-33185
Discourse is an open-source discussion platform. From versions 2026.1.0-latest t
|
| 27 |
CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 27 |
CVE-2026-1801
A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Sm
|
| 27 |
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90,
|
| 27 |
CVE-2026-39940
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was pos
|
| 27 |
CVE-2026-4812
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing A
|
| 27 |
CVE-2026-28358
NocoDB is software for building databases as spreadsheets. Prior to version 0.30
|
| 27 |
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 27 |
CVE-2025-66594
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, r
|
| 27 |
CVE-2026-3210
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful B
|
| 27 |
CVE-2026-34082
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method
|
| 27 |
CVE-2026-35583
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the config
|
| 27 |
CVE-2026-27452
ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules (BER) an
|
| 27 |
CVE-2026-34782
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 27 |
CVE-2026-33537
Lychee is a free, open-source photo-management tool. The patch introduced for GH
|
| 27 |
CVE-2026-2752
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A re
|
| 27 |
CVE-2026-1996
Certain HP OfficeJet Pro printers may be vulnerable to potential denial of servi
|
| 27 |
CVE-2026-2356
The User Registration & Membership - Custom Registration Form, Login Form, and U
|
| 27 |
CVE-2026-32636
The NewXMLTree method contains a bug that could result in a crash due to an out
|
| 27 |
CVE-2026-25374
Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon all
|
| 27 |
CVE-2025-67970
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointmen
|
| 27 |
CVE-2026-24375
Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooComm
|
| 27 |
CVE-2026-25386
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows
|
| 27 |
CVE-2026-25321
Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy all
|
| 27 |
CVE-2026-23548
Missing Authorization vulnerability in designinvento DirectoryPress directorypre
|
| 27 |
CVE-2026-27368
Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construc
|
| 27 |
CVE-2026-25384
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-
|
| 27 |
CVE-2023-38017
IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability a
|
| 27 |
CVE-2026-23543
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elemento
|
| 27 |
CVE-2026-25404
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager
|
| 27 |
CVE-2023-38281
IBM Cloud Pak System does not set the secure attribute on authorization tokens o
|
| 27 |
CVE-2026-25364
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoi
|
| 27 |
CVE-2025-13473
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4
|
| 27 |
CVE-2026-25408
Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link
|
| 27 |
CVE-2026-25324
Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Sy
|
| 27 |
CVE-2026-39857
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-25367
Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows
|
| 27 |
CVE-2026-25005
Authorization Bypass Through User-Controlled Key vulnerability in N-Media Fronte
|
| 27 |
CVE-2026-32990
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fi
|
| 27 |
CVE-2026-25320
Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb
|
| 27 |
CVE-2026-25415
Missing Authorization vulnerability in iqonicdesign WPBookit Pro wpbookit-pro al
|
| 27 |
CVE-2026-25000
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life
|
| 27 |
CVE-2026-26744
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the pass
|
| 27 |
CVE-2026-26895
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote
|
| 27 |
CVE-2026-25338
Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Conte
|
| 27 |
CVE-2026-25315
Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-for
|
| 27 |
CVE-2026-25441
Missing Authorization vulnerability in LeadConnector LeadConnector leadconnector
|
| 27 |
CVE-2026-25332
Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation en
|
| 27 |
CVE-2026-27042
Missing Authorization vulnerability in WPDeveloper NotificationX notificationx a
|
| 27 |
CVE-2026-25333
Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows
|
| 27 |
CVE-2026-27066
Missing Authorization vulnerability in PI Web Solution Live sales notification f
|
| 27 |
CVE-2026-27328
Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploi
|
| 27 |
CVE-2026-27411
Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allow
|
| 27 |
CVE-2026-27344
Missing Authorization vulnerability in inseriswiss inseri core inseri-core allow
|
| 27 |
CVE-2025-9522
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook fu
|
| 27 |
CVE-2026-35413
## Summary
When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly
|
| 27 |
CVE-2026-24999
Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce al
|
| 27 |
CVE-2026-28413
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior
|
| 27 |
CVE-2026-2589
The Greenshift - animation and page builder blocks plugin for WordPress is vulne
|
| 27 |
CVE-2026-22040
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version
|
| 27 |
CVE-2026-25370
Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-opti
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-25325
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-40087
LangChain's f-string prompt-template validation was incomplete in two respects.
|
| 27 |
CVE-2026-25389
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-1650
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized dat
|
| 27 |
CVE-2026-5808
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae31
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-2605
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3761d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |