Total CVEs
16460
last 90 days
Avg Priority
36.7
of max 220
KEV
40
actively exploited
POC
3246
public exploits
Unpatched
4734
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-22040
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version
|
| 27 |
CVE-2026-35413
## Summary
When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly
|
| 27 |
CVE-2026-23543
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elemento
|
| 27 |
CVE-2026-23548
Missing Authorization vulnerability in designinvento DirectoryPress directorypre
|
| 27 |
CVE-2026-24375
Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooComm
|
| 27 |
CVE-2026-24999
Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce al
|
| 27 |
CVE-2026-25000
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life
|
| 27 |
CVE-2026-25005
Authorization Bypass Through User-Controlled Key vulnerability in N-Media Fronte
|
| 27 |
CVE-2025-67970
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointmen
|
| 27 |
CVE-2026-25315
Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-for
|
| 27 |
CVE-2023-38281
IBM Cloud Pak System does not set the secure attribute on authorization tokens o
|
| 27 |
CVE-2023-38017
IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability a
|
| 27 |
CVE-2026-25320
Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb
|
| 27 |
CVE-2026-25321
Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy all
|
| 27 |
CVE-2026-25324
Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Sy
|
| 27 |
CVE-2026-25332
Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation en
|
| 27 |
CVE-2026-25333
Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows
|
| 27 |
CVE-2026-25338
Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Conte
|
| 27 |
CVE-2026-25364
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoi
|
| 27 |
CVE-2026-25367
Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows
|
| 27 |
CVE-2026-25370
Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-opti
|
| 27 |
CVE-2026-25374
Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon all
|
| 27 |
CVE-2026-25384
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-
|
| 27 |
CVE-2026-25386
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows
|
| 27 |
CVE-2026-25404
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager
|
| 27 |
CVE-2026-39857
ApostropheCMS is an open-source Node.js content management system. Versions 4.28
|
| 27 |
CVE-2026-25408
Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link
|
| 27 |
CVE-2026-25415
Missing Authorization vulnerability in iqonicdesign WPBookit Pro wpbookit-pro al
|
| 27 |
CVE-2026-25441
Missing Authorization vulnerability in LeadConnector LeadConnector leadconnector
|
| 27 |
CVE-2026-27042
Missing Authorization vulnerability in WPDeveloper NotificationX notificationx a
|
| 27 |
CVE-2026-27066
Missing Authorization vulnerability in PI Web Solution Live sales notification f
|
| 27 |
CVE-2026-26744
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the pass
|
| 27 |
CVE-2026-22321
A stack-based buffer overflow in the device's Telnet/SSH CLI login routine occur
|
| 27 |
CVE-2026-25043
Budibase is an open-source low-code platform. Prior to version 3.23.25, a busine
|
| 27 |
CVE-2026-2605
Tanium addressed an insertion of sensitive information into log file vulnerabili
|
| 27 |
CVE-2026-34372
### Impact
A user which has permission for the Sulu Admin via atleast one role
|
| 27 |
CVE-2026-40087
LangChain's f-string prompt-template validation was incomplete in two respects.
|
| 27 |
CVE-2026-39373
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography.
|
| 27 |
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-40304
Summary
The unaccess handler (controller/unaccess.go) contains a logical error i
|
| 27 |
CVE-2026-25389
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-25325
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-5808
A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae31
|
| 27 |
CVE-2026-3075
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-1650
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized dat
|
| 27 |
CVE-2026-1879
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. Thi
|
| 27 |
CVE-2026-39922
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-1314
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plug
|
| 27 |
CVE-2026-1919
The Booking Calendar for Appointments and Service Businesses - Booktics plugin f
|
| 27 |
CVE-2026-1920
The Booking Calendar for Appointments and Service Businesses - Booktics plugin f
|
| 27 |
CVE-2026-20009
A vulnerability in the implementation of the proprietary SSH stack with SSH key-
|
| 27 |
CVE-2025-14944
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization
|
| 27 |
CVE-2026-1303
The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorizat
|
| 27 |
CVE-2025-14357
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized mod
|
| 27 |
CVE-2026-4654
The Awesome Support - WordPress HelpDesk & Support Plugin plugin for WordPress i
|
| 27 |
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-35450
## Summary
The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg re
|
| 27 |
CVE-2026-35452
## Summary
The `plugin/CloneSite/client.log.php` endpoint serves the clone oper
|
| 27 |
CVE-2026-4325
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 27 |
CVE-2026-6729
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation
|
| 27 |
CVE-2026-2456
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Matt
|
| 27 |
CVE-2025-27899
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 discloses sensitive informat
|
| 27 |
CVE-2025-13726
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 thro
|
| 27 |
CVE-2025-66607
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-1658
User Interface (UI) Misrepresentation of Critical Information vulnerability in O
|
| 27 |
CVE-2026-5538
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by th
|
| 27 |
CVE-2026-35629
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability i
|
| 27 |
CVE-2026-35542
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-1491
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-2862
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 27 |
CVE-2026-5797
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Short
|
| 27 |
CVE-2026-35544
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici
|
| 27 |
CVE-2026-35545
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot
|
| 27 |
CVE-2026-35543
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot
|
| 27 |
CVE-2026-27884
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_p
|
| 27 |
CVE-2026-40151
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deploymen
|
| 27 |
CVE-2026-20676
This issue was addressed through improved state management. This issue is fixed
|
| 27 |
CVE-2026-1772
RTU500 web interface: An unprivileged user can read user management information.
|
| 27 |
CVE-2025-15507
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauth
|
| 27 |
CVE-2026-5240
A security vulnerability has been detected in code-projects BloodBank Managing S
|
| 27 |
CVE-2026-26031
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2025-8055
Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Serv
|
| 27 |
CVE-2026-3567
The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress is vulnerable t
|
| 27 |
CVE-2026-27631
Exiv2 is a C++ library and a command-line utility to read, write, delete and mod
|
| 27 |
CVE-2026-6559
A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the fu
|
| 27 |
CVE-2026-5315
A vulnerability was determined in Nothings stb up to 1.26. The affected element
|
| 27 |
CVE-2026-1332
MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnera
|
| 27 |
CVE-2026-27486
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the Open
|
| 27 |
CVE-2026-20682
A logic issue was addressed with improved state management. This issue is fixed
|
| 27 |
CVE-2026-2519
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPre
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |