Total CVEs
16487
last 90 days
Avg Priority
36.7
of max 220
KEV
40
actively exploited
POC
3242
public exploits
Unpatched
4747
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-27631
Exiv2 is a C++ library and a command-line utility to read, write, delete and mod
|
| 27 |
CVE-2026-27486
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the Open
|
| 27 |
CVE-2026-5240
A security vulnerability has been detected in code-projects BloodBank Managing S
|
| 27 |
CVE-2026-5315
A vulnerability was determined in Nothings stb up to 1.26. The affected element
|
| 27 |
CVE-2026-1332
MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnera
|
| 27 |
CVE-2026-1772
RTU500 web interface: An unprivileged user can read user management information.
|
| 27 |
CVE-2026-20676
This issue was addressed through improved state management. This issue is fixed
|
| 27 |
CVE-2026-3567
The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress is vulnerable t
|
| 27 |
CVE-2026-2519
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPre
|
| 27 |
CVE-2026-5886
Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 al
|
| 27 |
CVE-2026-27193
Feathersjs is a framework for creating web APIs and real-time applications with
|
| 27 |
CVE-2026-1675
The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization
|
| 27 |
CVE-2026-28407
malcontent is software for discovering supply-chain compromises through context,
|
| 27 |
CVE-2026-3546
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Informat
|
| 27 |
CVE-2026-3649
The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authori
|
| 27 |
CVE-2026-5623
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affe
|
| 27 |
CVE-2026-5530
A flaw has been found in Ollama up to 18.1. This issue affects some unknown proc
|
| 27 |
CVE-2026-6215
A weakness has been identified in DbGate up to 7.1.4. The impacted element is th
|
| 27 |
CVE-2026-5380
An issue that could allow an authorized user to view the clear-text secrets for
|
| 27 |
CVE-2026-5205
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulner
|
| 27 |
CVE-2026-2385
The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widget
|
| 27 |
CVE-2026-5313
A vulnerability has been found in Nothings stb up to 2.30. This issue affects th
|
| 27 |
CVE-2026-0927
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is
|
| 27 |
CVE-2026-33866
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used
|
| 27 |
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3
|
| 27 |
CVE-2026-0540
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f,
|
| 27 |
CVE-2026-34369
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-35592
pyLoad is a free and open-source download manager written in Python. Prior to 0.
|
| 27 |
CVE-2026-0748
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allo
|
| 27 |
CVE-2026-3642
The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authoriza
|
| 27 |
CVE-2026-3023
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web applicatio
|
| 27 |
CVE-2026-1769
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 27 |
CVE-2026-39921
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side req
|
| 27 |
CVE-2026-33041
### Summary
`/objects/encryptPass.json.php` exposes the application's password
|
| 27 |
CVE-2026-25742
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is
|
| 27 |
CVE-2025-36425
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through
|
| 27 |
CVE-2026-27454
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 27 |
CVE-2026-31815
Unicorn adds modern reactive component functionality to your Django templates. P
|
| 27 |
CVE-2025-10734
The ReviewX - WooCommerce Product Reviews with Multi-Criteria, Reminder Emails,
|
| 27 |
CVE-2026-32322
soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 2
|
| 27 |
CVE-2025-13997
The King Addons for Elementor - 4,000+ ready Elementor sections, 650+ templates,
|
| 27 |
CVE-2026-24749
The Silverstripe Assets Module is a required component of Silverstripe Framework
|
| 27 |
CVE-2026-39628
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-33617
An unauthenticated remote attacker can access a configuration file containing da
|
| 27 |
CVE-2026-2373
The Royal Addons for Elementor - Addons and Templates Kit for Elementor plugin f
|
| 27 |
CVE-2026-5890
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attac
|
| 27 |
CVE-2026-39412
### Summary
The `sort_natural` filter bypasses the `ownPropertyOnly` security o
|
| 27 |
CVE-2026-39712
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-39629
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-0679
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization b
|
| 27 |
CVE-2026-33688
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-34715
### Summary
The `encode_headers` function in `src/ewe/internal/encoder.gleam` d
|
| 27 |
CVE-2026-1102
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3
|
| 27 |
CVE-2026-1797
The Appointment Booking and Scheduler Plugin - Truebooker plugin for WordPress i
|
| 27 |
CVE-2026-34786
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-32002
OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in t
|
| 27 |
CVE-2025-14971
The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to u
|
| 27 |
CVE-2026-31825
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters Prod
|
| 27 |
CVE-2026-39625
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-39626
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vu
|
| 27 |
CVE-2026-31888
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store
|
| 27 |
CVE-2026-32691
A race condition in the secrets management subsystem of Juju versions 3.0.0 thro
|
| 27 |
CVE-2026-29055
Tandoor Recipes is an application for managing recipes, planning meals, and buil
|
| 27 |
CVE-2026-33060
## Summary
The `@aborruso/ckan-mcp-server` MCP server provides tools including
|
| 27 |
CVE-2026-34899
Missing Authorization vulnerability in Eniture technology LTL Freight Quotes - W
|
| 27 |
CVE-2026-28070
Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Expl
|
| 27 |
CVE-2026-25523
Magento-lts is a long-term support alternative to Magento Community Edition (CE)
|
| 27 |
CVE-2026-31950
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 thr
|
| 27 |
CVE-2025-69727
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prio
|
| 27 |
CVE-2026-1219
The MP3 Audio Player - Music Player, Podcast Player & Radio by Sonaar plugin for
|
| 27 |
CVE-2026-5823
A weakness has been identified in itsourcecode Construction Management System 1.
|
| 27 |
CVE-2026-34763
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 27 |
CVE-2026-35449
## Summary
The `install/test.php` diagnostic script has its CLI-only access gua
|
| 27 |
CVE-2026-32100
Shopware is an open commerce platform. /api/_info/config route exposes informati
|
| 27 |
CVE-2025-70129
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is
|
| 27 |
CVE-2026-32583
Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows
|
| 27 |
CVE-2026-32142
Shopware is an open commerce platform. /api/_info/config route exposes informati
|
| 27 |
CVE-2026-32565
Missing Authorization vulnerability in WebberZone Contextual Related Posts allow
|
| 27 |
CVE-2026-33737
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, mu
|
| 27 |
CVE-2026-33809
A maliciously crafted TIFF file can cause image decoding to attempt to allocate
|
| 27 |
CVE-2026-29136
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to inject
|
| 27 |
CVE-2025-70040
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File
|
| 27 |
CVE-2026-35651
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence in
|
| 27 |
CVE-2026-22199
wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows at
|
| 27 |
CVE-2026-34368
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2025-10256
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter
|
| 27 |
CVE-2026-25050
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, th
|
| 27 |
CVE-2026-1870
The Thim Kit for Elementor - Pre-built Templates & Widgets for Elementor plugin
|
| 27 |
CVE-2026-5467
A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is som
|
| 27 |
CVE-2026-35662
OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 739d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2307d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4984d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1205d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |