Total CVEs
16255
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3214
public exploits
Unpatched
4316
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 37 |
CVE-2026-33430
### Impact
If a developer uses Briefcase to produce an Windows MSI installer fo
|
| 37 |
CVE-2026-3452
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by store
|
| 37 |
CVE-2025-9062
Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informa
|
| 37 |
CVE-2026-3818
A flaw has been found in Tiandy Easy7 CMS Windows 7.17.0. Impacted is an unknown
|
| 37 |
CVE-2026-24925
Heap-based buffer overflow vulnerability in the image module.
Impact: Successful
|
| 37 |
CVE-2026-21408
beat-access for Windows version 3.0.3 and prior contains an issue with the DLL s
|
| 37 |
CVE-2025-48634
In relayoutWindow of WindowManagerService.java, there is a possible tapjack atta
|
| 37 |
CVE-2026-0924
BuhoCleaner contains an insecure XPC service that allows local, unprivileged use
|
| 37 |
CVE-2026-34856
UAF vulnerability in the communication module.
Impact: Successful exploitation o
|
| 37 |
CVE-2026-28542
Permission bypass vulnerability in the system service framework. Impact: Success
|
| 37 |
CVE-2026-41082
In OCaml opam before 2.5.1, a .install field containing a destination filepath c
|
| 37 |
CVE-2026-23772
Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, con
|
| 37 |
CVE-2026-39883
## Summary
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin
|
| 36 |
CVE-2026-32910
OpenClaw before 2026.3.1 contains an approval bypass vulnerability in system.run
|
| 36 |
CVE-2026-41134
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 a
|
| 36 |
CVE-2026-27655
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable
|
| 36 |
CVE-2026-5935
IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TS
|
| 36 |
CVE-2026-35338
A vulnerability in the chmod utility of uutils coreutils allows users to bypass
|
| 36 |
CVE-2025-70994
Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authe
|
| 36 |
CVE-2026-41172
Squidex is an open source headless content management system and content managem
|
| 36 |
CVE-2026-41171
Squidex is an open source headless content management system and content managem
|
| 36 |
CVE-2025-55263
HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacke
|
| 36 |
CVE-2026-28507
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote
|
| 36 |
CVE-2026-40688
A out-of-bounds write vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, Fo
|
| 36 |
CVE-2026-3328
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Objec
|
| 36 |
CVE-2025-14905
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability
|
| 36 |
CVE-2025-14541
The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execu
|
| 36 |
CVE-2026-4132
The HTTP Headers plugin for WordPress is vulnerable to External Control of File
|
| 36 |
CVE-2026-6227
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the
|
| 36 |
CVE-2026-5966
ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion v
|
| 36 |
CVE-2026-33725
Metabase is an open source business intelligence and embedded analytics tool. In
|
| 36 |
CVE-2026-34607
Emlog is an open source website building system. In versions 2.6.2 and prior, a
|
| 36 |
CVE-2026-2269
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builde
|
| 36 |
CVE-2026-22766
Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Unrestricted U
|
| 36 |
CVE-2026-23815
A vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an a
|
| 36 |
CVE-2026-29102
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 36 |
CVE-2025-11730
A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS)
|
| 36 |
CVE-2026-21893
n8n is an open source workflow automation platform. From version 0.187.0 to befo
|
| 36 |
CVE-2025-12975
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerab
|
| 36 |
CVE-2026-4808
The Gerador de Certificados - DevApps plugin for WordPress is vulnerable to arbi
|
| 36 |
CVE-2026-28673
xiaoheiFS is a self-hosted financial and operational system for cloud service bu
|
| 36 |
CVE-2026-39387
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites
|
| 36 |
CVE-2026-30940
baserCMS is a website development framework. Prior to version 5.2.3, a path trav
|
| 36 |
CVE-2026-4627
A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected i
|
| 36 |
CVE-2026-2365
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 36 |
CVE-2026-5464
The ExactMetrics - Google Analytics Dashboard for WordPress (Website Stats Plugi
|
| 36 |
CVE-2026-26046
A vulnerability was found in a Moodle TeX filter administrative setting where in
|
| 36 |
CVE-2026-2670
A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected i
|
| 36 |
CVE-2026-31386
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an
|
| 36 |
CVE-2026-28209
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and
|
| 36 |
CVE-2025-59783
API endpoint for user synchronization in 2N Access Commander version 3.4.1 did n
|
| 36 |
CVE-2026-23759
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 a
|
| 36 |
CVE-2026-0800
The User Submitted Posts - Enable Users to Submit Posts from the Front End plugi
|
| 36 |
CVE-2025-69986
A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC
|
| 36 |
CVE-2026-24748
Kargo manages and automates the promotion of software artifacts. Prior to versio
|
| 36 |
CVE-2026-1931
The Rent Fetch plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-23816
A vulnerability in the command line interface of AOS-CX Switches could allow an
|
| 36 |
CVE-2026-1866
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2026-0753
The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cr
|
| 36 |
CVE-2026-23774
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 36 |
CVE-2026-4329
The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Si
|
| 36 |
CVE-2026-3342
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an auth
|
| 36 |
CVE-2026-33613
Due to the improper neutralisation of special elements used in an OS command, a
|
| 36 |
CVE-2026-1216
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Sc
|
| 36 |
CVE-2026-3368
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 36 |
CVE-2026-25836
An improper neutralization of special elements used in an os command ('os comman
|
| 36 |
CVE-2026-23592
Insecure file operations in HPE Aruba Networking Fabric Composer’s backup func
|
| 36 |
CVE-2026-1400
The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress
|
| 36 |
CVE-2025-66178
A improper neutralization of special elements used in an os command ('os command
|
| 36 |
CVE-2026-22229
A command injection vulnerability may be exploited after the admin's authenticat
|
| 36 |
CVE-2025-14452
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Si
|
| 36 |
CVE-2026-1316
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2026-1843
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 36 |
CVE-2026-2568
The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Form
|
| 36 |
CVE-2026-26045
A flaw was identified in Moodle’s backup restore functionality where specially c
|
| 36 |
CVE-2026-6832
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/sessi
|
| 36 |
CVE-2026-31849
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implem
|
| 36 |
CVE-2026-28456
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gat
|
| 36 |
CVE-2025-58382
A vulnerability in the secure configuration of authentication and
management se
|
| 36 |
CVE-2026-1945
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 36 |
CVE-2026-3643
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-2724
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2026-5217
The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image O
|
| 36 |
CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 36 |
CVE-2026-2231
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2025-15440
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-2296
The Product Addons for Woocommerce - Product Options with Custom Fields plugin f
|
| 36 |
CVE-2026-35035
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 36 |
CVE-2026-1459
A post-authentication command injection vulnerability in the TR-369 certificate
|
| 36 |
CVE-2026-25917
Dag Authors, who normally should not be able to execute code in the webserver co
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3764d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |