Total CVEs
16634
last 90 days
Avg Priority
36.4
of max 220
KEV
39
actively exploited
POC
3229
public exploits
Unpatched
4613
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 27 |
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE
|
| 27 |
CVE-2026-24473
Hono is a Web application framework that provides support for any JavaScript run
|
| 27 |
CVE-2026-23865
An integer overflow in the tt_var_load_item_variation_store function of the Free
|
| 27 |
CVE-2026-24472
Hono is a Web application framework that provides support for any JavaScript run
|
| 27 |
CVE-2026-22201
wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() func
|
| 27 |
CVE-2026-33690
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2024-52334
A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_H
|
| 27 |
CVE-2025-31944
Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervis
|
| 27 |
CVE-2026-28838
A permissions issue was addressed with additional sandbox restrictions. This iss
|
| 27 |
CVE-2026-24117
Rekor is a software supply chain transparency log. In versions 1.4.3 and below,
|
| 27 |
CVE-2026-20697
A permissions issue was addressed with additional restrictions. This issue is fi
|
| 27 |
CVE-2026-6494
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can e
|
| 27 |
CVE-2026-25144
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat
|
| 27 |
CVE-2026-28828
A permissions issue was addressed by removing the vulnerable code. This issue is
|
| 27 |
CVE-2026-26977
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 27 |
CVE-2026-26967
PJSIP is a free and open source multimedia communication library written in C. I
|
| 27 |
CVE-2026-1213
All versions of askbot before and including 0.12.2 allow an attacker authenticat
|
| 27 |
CVE-2026-34776
### Impact
On macOS and Linux, apps that call `app.requestSingleInstanceLock()`
|
| 27 |
CVE-2026-40448
Potential Integer overflow in tensor allocation size calculation could lead to i
|
| 27 |
CVE-2026-24604
Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance s
|
| 27 |
CVE-2026-24603
Missing Authorization vulnerability in themebeez Universal Google Adsense and Ad
|
| 27 |
CVE-2026-24599
Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins Next
|
| 27 |
CVE-2026-24593
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulne
|
| 27 |
CVE-2026-24589
Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eComme
|
| 27 |
CVE-2026-24562
Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for W
|
| 27 |
CVE-2026-24539
Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD
|
| 27 |
CVE-2026-24530
Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion
|
| 27 |
CVE-2026-24529
Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations q
|
| 27 |
CVE-2026-24525
Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-
|
| 27 |
CVE-2026-30835
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 27 |
CVE-2026-3707
A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected eleme
|
| 27 |
CVE-2026-22461
Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed
|
| 27 |
CVE-2026-22458
Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allow
|
| 27 |
CVE-2026-22447
Missing Authorization vulnerability in Select-Themes Prowess prowess allows Expl
|
| 27 |
CVE-2026-3979
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the funct
|
| 27 |
CVE-2026-3994
A vulnerability was detected in rui314 mold up to 2.40.4. This issue affects the
|
| 27 |
CVE-2026-4015
A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin
|
| 27 |
CVE-2026-4016
A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this v
|
| 27 |
CVE-2026-3581
The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authoriza
|
| 27 |
CVE-2026-0718
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin
|
| 27 |
CVE-2026-31924
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
|
| 27 |
CVE-2026-22180
OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerabil
|
| 27 |
CVE-2026-5713
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabi
|
| 27 |
CVE-2026-0593
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to u
|
| 27 |
CVE-2026-3674
A vulnerability was found in Freedom Factory dGEN1 up to 20260221. Affected by t
|
| 27 |
CVE-2026-5427
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in version
|
| 27 |
CVE-2026-24028
An attacker might be able to trigger an out-of-bounds read by sending a crafted
|
| 27 |
CVE-2026-3669
A security vulnerability has been detected in Freedom Factory dGEN1 up to 202602
|
| 27 |
CVE-2026-3667
A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The
|
| 27 |
CVE-2026-33258
By publishing and querying a crafted zone an attacker can cause allocation of la
|
| 27 |
CVE-2026-3675
A vulnerability was determined in Freedom Factory dGEN1 up to 20260221. Affected
|
| 27 |
CVE-2026-25872
JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthentica
|
| 27 |
CVE-2026-33257
An attacker can send a web request that causes unlimited memory allocation in th
|
| 27 |
CVE-2026-26185
Directus is a real-time API and App dashboard for managing SQL database content.
|
| 27 |
CVE-2026-21722
Public dashboards with annotations enabled did not limit their annotation timera
|
| 27 |
CVE-2026-3670
A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected i
|
| 27 |
CVE-2026-24030
An attacker might be able to trick DNSdist into allocating too much memory while
|
| 27 |
CVE-2026-2371
The Greenshift - animation and page builder blocks plugin for WordPress is vulne
|
| 27 |
CVE-2026-32249
Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.013
|
| 27 |
CVE-2026-22628
An improper access control vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 th
|
| 27 |
CVE-2026-33260
An attacker can send a web request that causes unlimited memory allocation in th
|
| 27 |
CVE-2026-1938
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to
|
| 27 |
CVE-2026-33256
An attacker can send a web request that causes unlimited memory allocation in th
|
| 27 |
CVE-2026-3796
A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. T
|
| 27 |
CVE-2026-23907
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.
|
| 27 |
CVE-2026-27670
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZI
|
| 27 |
CVE-2025-14444
The RegistrationMagic - Custom Registration Forms, User Registration, Payment, a
|
| 27 |
CVE-2026-4117
The CalJ plugin for WordPress is vulnerable to Missing Authorization in all vers
|
| 27 |
CVE-2025-57783
Improper header parsing may lead to request smuggling has been identified in Hia
|
| 27 |
CVE-2026-6586
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impa
|
| 27 |
CVE-2026-5705
A vulnerability was identified in code-projects Online Hotel Booking 1.0. Affect
|
| 27 |
CVE-2026-5502
The Tutor LMS - eLearning and online course solution plugin for WordPress is vul
|
| 27 |
CVE-2025-31981
HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encrypt
|
| 27 |
CVE-2025-22234
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigati
|
| 27 |
CVE-2026-5606
A security flaw has been discovered in PHPGurukul Online Shopping Portal Project
|
| 27 |
CVE-2026-40485
ChurchCRM is an open-source church management system. In versions prior to 7.2.0
|
| 27 |
CVE-2026-31381
An attacker can extract user email addresses (PII) exposed in base64 encoding vi
|
| 27 |
CVE-2026-2878
In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient
|
| 27 |
CVE-2026-28421
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have
|
| 27 |
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequ
|
| 27 |
CVE-2026-5052
Vault’s PKI engine’s ACME validation did not reject local targets when issuing h
|
| 27 |
CVE-2026-5579
A vulnerability was determined in CodeAstro Online Classroom 1.0. This issue aff
|
| 27 |
CVE-2026-5586
A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted
|
| 27 |
CVE-2026-28755
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_modu
|
| 27 |
CVE-2026-24027
Crafted zones can lead to increased incoming network traffic.
|
| 27 |
CVE-2026-34364
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 27 |
CVE-2026-31960
Quill provides simple mac binary signing and notarization from any platform. Qui
|
| 27 |
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the G
|
| 27 |
CVE-2026-31959
Quill provides simple mac binary signing and notarization from any platform. Qui
|
| 27 |
CVE-2025-11065
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1734d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2237d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1007d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 909d |