Total CVEs
16313
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3212
public exploits
Unpatched
4325
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 36 |
CVE-2026-22229
A command injection vulnerability may be exploited after the admin's authenticat
|
| 36 |
CVE-2026-1316
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2026-1843
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 36 |
CVE-2026-2568
The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Form
|
| 36 |
CVE-2026-26045
A flaw was identified in Moodle’s backup restore functionality where specially c
|
| 36 |
CVE-2026-6832
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/sessi
|
| 36 |
CVE-2026-31849
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implem
|
| 36 |
CVE-2026-28456
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gat
|
| 36 |
CVE-2025-58382
A vulnerability in the secure configuration of authentication and
management se
|
| 36 |
CVE-2026-1945
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 36 |
CVE-2026-3643
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 36 |
CVE-2026-5217
The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image O
|
| 36 |
CVE-2026-2724
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2026-2231
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2025-15440
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-2296
The Product Addons for Woocommerce - Product Options with Custom Fields plugin f
|
| 36 |
CVE-2026-1459
A post-authentication command injection vulnerability in the TR-369 certificate
|
| 36 |
CVE-2026-35035
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 36 |
CVE-2026-25917
Dag Authors, who normally should not be able to execute code in the webserver co
|
| 36 |
CVE-2026-4388
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site
|
| 36 |
CVE-2026-1261
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 36 |
CVE-2026-3231
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPres
|
| 36 |
CVE-2026-3178
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2026-3478
The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Sid
|
| 36 |
CVE-2026-22572
An authentication bypass using an alternate path or channel vulnerability in For
|
| 36 |
CVE-2026-37748
Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File U
|
| 36 |
CVE-2026-4267
### Impact
The Query Monitor plugin for WordPress is vulnerable to Reflected Cr
|
| 36 |
CVE-2026-1238
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 36 |
CVE-2026-1454
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPres
|
| 36 |
CVE-2026-23572
Improper access control in the TeamViewer Full and Host clients (Windows, macOS,
|
| 36 |
CVE-2025-14554
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnera
|
| 36 |
CVE-2026-2834
The Age Verification & Identity Verification by Token of Trust plugin for WordPr
|
| 36 |
CVE-2026-5425
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored C
|
| 36 |
CVE-2026-1074
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-3003
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-3090
The Post SMTP - Complete Email Deliverability and SMTP Solution with Email Logs,
|
| 36 |
CVE-2026-5694
The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-35175
### Impact
An authenticated user (using the `auth_users` plugin authentication
|
| 36 |
CVE-2026-2019
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code I
|
| 36 |
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Execut
|
| 36 |
CVE-2026-22333
Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Com
|
| 36 |
CVE-2026-28138
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting al
|
| 36 |
CVE-2026-29182
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 36 |
CVE-2026-25316
Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows ca
|
| 36 |
CVE-2026-33715
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, t
|
| 36 |
CVE-2026-2440
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting i
|
| 36 |
CVE-2026-22317
A command injection vulnerability in the device’s Root CA certificate transfer w
|
| 36 |
CVE-2026-1937
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to
|
| 36 |
CVE-2026-0617
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 36 |
CVE-2026-2936
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to S
|
| 36 |
CVE-2025-41767
A high-privileged remote attacker can fully compromise the device by abusing an
|
| 36 |
CVE-2025-68648
A use of externally-controlled format string vulnerability in Fortinet FortiAnal
|
| 36 |
CVE-2025-59784
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Cert
|
| 36 |
CVE-2026-32401
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 36 |
CVE-2026-28784
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is p
|
| 36 |
CVE-2026-20892
Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allo
|
| 36 |
CVE-2026-23778
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 36 |
CVE-2026-2566
A security vulnerability has been detected in Wavlink WL-NU516U1 up to 130/260.
|
| 36 |
CVE-2026-4302
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-
|
| 36 |
CVE-2026-20163
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splun
|
| 36 |
CVE-2026-24963
Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooki
|
| 36 |
CVE-2025-69378
Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter f
|
| 36 |
CVE-2026-3352
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection i
|
| 36 |
CVE-2025-15041
The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnera
|
| 36 |
CVE-2026-39467
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider
|
| 36 |
CVE-2026-1273
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin
|
| 36 |
CVE-2026-0677
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite
|
| 36 |
CVE-2026-29109
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 36 |
CVE-2026-25932
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.
|
| 36 |
CVE-2026-25615
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.
|
| 36 |
CVE-2026-40871
mailcow: dockerized is an open source groupware/email suite based on docker. Ver
|
| 36 |
CVE-2026-40880
# CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead
|
| 36 |
CVE-2025-27260
Ericsson
Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filt
|
| 36 |
CVE-2026-1841
The PixelYourSite - Your smart PIXEL (TAG) & API Manager plugin for WordPress is
|
| 36 |
CVE-2026-33681
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 36 |
CVE-2026-23882
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MC
|
| 36 |
CVE-2026-27602
### Summary
`exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess ca
|
| 36 |
CVE-2026-33133
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6,
|
| 36 |
CVE-2026-1078
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pe
|
| 36 |
CVE-2026-0686
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery
|
| 36 |
CVE-2026-25041
Budibase is a low code platform for creating internal tools, workflows, and admi
|
| 36 |
CVE-2025-59785
Improper validation of API end-point in 2N Access Commander version 3.4.2 and pr
|
| 36 |
CVE-2026-27459
If a user provided callback to `set_cookie_generate_callback` returned a cookie
|
| 36 |
CVE-2026-1343
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 36 |
CVE-2026-28436
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and
|
| 36 |
CVE-2026-1648
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Reques
|
| 36 |
CVE-2025-12886
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forger
|
| 36 |
CVE-2024-51347
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camer
|
| 36 |
CVE-2026-27043
Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Phot
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3764d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |