Total CVEs
16526
last 90 days
Avg Priority
36.6
of max 220
KEV
40
actively exploited
POC
3235
public exploits
Unpatched
4611
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-39701
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting
|
| 27 |
CVE-2026-39700
Missing Authorization vulnerability in WPXPO WowOptin optin allows Exploiting In
|
| 27 |
CVE-2026-39699
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-wo
|
| 27 |
CVE-2026-39698
Missing Authorization vulnerability in PublisherDesk The Publisher Desk ads.txt
|
| 27 |
CVE-2026-39697
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI
|
| 27 |
CVE-2026-32348
Missing Authorization vulnerability in MadrasThemes MAS Videos masvideos allows
|
| 27 |
CVE-2026-39694
Missing Authorization vulnerability in NSquared Simply Schedule Appointments sim
|
| 27 |
CVE-2026-39691
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box
|
| 27 |
CVE-2026-39690
Missing Authorization vulnerability in Paul Bearne Author Avatars List/Block aut
|
| 27 |
CVE-2026-39689
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-comme
|
| 27 |
CVE-2026-39688
Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-en
|
| 27 |
CVE-2026-39687
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle D
|
| 27 |
CVE-2026-39685
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer al
|
| 27 |
CVE-2026-39682
Missing Authorization vulnerability in Arjan Pronk linkPizza-Manager linkpizza-m
|
| 27 |
CVE-2026-32396
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiti
|
| 27 |
CVE-2026-39680
Missing Authorization vulnerability in MWP Development Diet Calorie Calculator d
|
| 27 |
CVE-2026-39678
Missing Authorization vulnerability in DOTonPAPER Pinpoint Booking System bookin
|
| 27 |
CVE-2026-39676
Missing Authorization vulnerability in Shahjada Download Manager download-manage
|
| 27 |
CVE-2026-32397
Missing Authorization vulnerability in YMC Filter & Grids ymc-smart-filter allow
|
| 27 |
CVE-2026-39675
Missing Authorization vulnerability in webmuehle Court Reservation court-reserva
|
| 27 |
CVE-2026-39673
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allow
|
| 27 |
CVE-2026-39672
Missing Authorization vulnerability in shiptime ShipTime: Discounted Shipping Ra
|
| 27 |
CVE-2026-39669
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Expl
|
| 27 |
CVE-2026-32347
Missing Authorization vulnerability in raratheme Restaurant and Cafe restaurant-
|
| 27 |
CVE-2026-39668
Missing Authorization vulnerability in g5theme Book Previewer for Woocommerce bo
|
| 27 |
CVE-2026-39664
Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Expl
|
| 27 |
CVE-2026-39663
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appo
|
| 27 |
CVE-2026-32402
Missing Authorization vulnerability in Ays Pro Image Slider by Ays ays-slider al
|
| 27 |
CVE-2026-39662
Missing Authorization vulnerability in ProWCPlugins Product Price by Formula for
|
| 27 |
CVE-2026-32346
Missing Authorization vulnerability in raratheme Travel Agency travel-agency all
|
| 27 |
CVE-2026-39660
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager
|
| 27 |
CVE-2026-39659
Missing Authorization vulnerability in Ultimate Member Ultimate Member ultimate-
|
| 27 |
CVE-2026-39658
Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field pa
|
| 27 |
CVE-2026-39657
Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-fo
|
| 27 |
CVE-2026-32345
Missing Authorization vulnerability in raratheme Perfect Portfolio perfect-portf
|
| 27 |
CVE-2026-39656
Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-raz
|
| 27 |
CVE-2026-39652
Missing Authorization vulnerability in igms iGMS Direct Booking igms-direct-book
|
| 27 |
CVE-2026-39650
Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiemen
|
| 27 |
CVE-2026-39649
Missing Authorization vulnerability in themebeez Royale News royale-news allows
|
| 27 |
CVE-2026-39648
Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Ex
|
| 27 |
CVE-2026-32421
Missing Authorization vulnerability in Agile Logix Post Timeline post-timeline a
|
| 27 |
CVE-2026-5082
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl genera
|
| 27 |
CVE-2026-5083
Ado::Sessions versions through 0.935 for Perl generates insecure session ids.
T
|
| 27 |
CVE-2026-32404
Missing Authorization vulnerability in Studio99 Studio99 WP Monitor studio99-wp-
|
| 27 |
CVE-2026-39644
Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-rev
|
| 27 |
CVE-2026-39643
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPa
|
| 27 |
CVE-2026-39637
Missing Authorization vulnerability in SpabRice Mogi mogi allows Exploiting Inco
|
| 27 |
CVE-2026-32147
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 27 |
CVE-2026-39624
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploit
|
| 27 |
CVE-2026-39622
Missing Authorization vulnerability in acmethemes Education Base education-base
|
| 27 |
CVE-2026-39616
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Downl
|
| 27 |
CVE-2026-31916
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-
|
| 27 |
CVE-2026-39501
Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switc
|
| 27 |
CVE-2026-32341
Missing Authorization vulnerability in raratheme Benevolent benevolent allows Ex
|
| 27 |
CVE-2026-39505
Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting
|
| 27 |
CVE-2026-39612
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Explo
|
| 27 |
CVE-2026-39509
Missing Authorization vulnerability in wpWax Directorist directorist allows Expl
|
| 27 |
CVE-2026-39610
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allo
|
| 27 |
CVE-2026-39520
Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting In
|
| 27 |
CVE-2026-39609
Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows
|
| 27 |
CVE-2026-39528
Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recip
|
| 27 |
CVE-2026-33169
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` t
|
| 27 |
CVE-2026-3089
Actual Sync Server allows authenticated users to upload files through POST /sync
|
| 27 |
CVE-2026-27017
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprintin
|
| 27 |
CVE-2026-3940
Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680
|
| 27 |
CVE-2025-27535
Exposed ioctl with insufficient access control in the firmware for some Intel(R)
|
| 27 |
CVE-2025-3716
User enumeration in ESET Protect (on-prem) via Response Timing.
|
| 27 |
CVE-2026-39882
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) r
|
| 27 |
CVE-2026-33173
### Impact
Active Storage's `DirectUploadsController` accepts arbitrary metadata
|
| 27 |
CVE-2026-3939
Insufficient policy enforcement in PDF in Google Chrome prior to 146.0.7680.71 a
|
| 27 |
CVE-2026-5344
A security vulnerability has been detected in Textpattern up to 4.9.1. Affected
|
| 27 |
CVE-2026-3930
Unsafe navigation in Navigation in Google Chrome on iOS prior to 146.0.7680.71 a
|
| 27 |
CVE-2025-47911
The html.Parse function in golang.org/x/net/html has quadratic parsing complexit
|
| 27 |
CVE-2026-2295
The WPZOOM Addons for Elementor - Starter Templates & Widgets plugin for WordPre
|
| 27 |
CVE-2026-32724
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a he
|
| 27 |
CVE-2025-66604
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corpo
|
| 27 |
CVE-2026-1271
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is
|
| 27 |
CVE-2026-5474
A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE
|
| 27 |
CVE-2026-24850
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Si
|
| 27 |
CVE-2026-40179
### Impact
Stored cross-site scripting (XSS) via crafted metric names in the Pr
|
| 27 |
CVE-2026-23865
An integer overflow in the tt_var_load_item_variation_store function of the Free
|
| 27 |
CVE-2026-40041
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows att
|
| 27 |
CVE-2026-6494
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can e
|
| 27 |
CVE-2025-31944
Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervis
|
| 27 |
CVE-2026-28838
A permissions issue was addressed with additional sandbox restrictions. This iss
|
| 27 |
CVE-2024-52334
A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_H
|
| 27 |
CVE-2026-20697
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 27 |
CVE-2026-25144
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat
|
| 27 |
CVE-2026-28828
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 27 |
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2120d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |