Total CVEs
16294
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3219
public exploits
Unpatched
4400
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 25 |
CVE-2025-47205
A NULL pointer dereference vulnerability has been reported to affect several QNA
|
| 25 |
CVE-2025-54163
A NULL pointer dereference vulnerability has been reported to affect File Statio
|
| 25 |
CVE-2025-66274
A NULL pointer dereference vulnerability has been reported to affect several QNA
|
| 25 |
CVE-2026-3439
A post-authentication Stack-based Buffer Overflow vulnerability in SonicOS certi
|
| 25 |
CVE-2025-11845
A null pointer dereference vulnerability in the certificate downloader CGI progr
|
| 25 |
CVE-2025-11848
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Z
|
| 25 |
CVE-2025-11846
A null pointer dereference vulnerability in the account settings CGI program of
|
| 25 |
CVE-2025-11847
A null pointer dereference vulnerability in the IP settings CGI program of the Z
|
| 25 |
CVE-2026-23795
Improper Restriction of XML External Entity Reference vulnerability in Apache Sy
|
| 25 |
CVE-2026-39811
A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 throug
|
| 25 |
CVE-2026-25790
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 25 |
CVE-2026-22228
An authenticated user with high privileges may trigger a denial‑of‑service condi
|
| 25 |
CVE-2026-32947
## Summary
A vulnerability exists in the Community Tier of Harden-Runner that a
|
| 25 |
CVE-2026-0399
Multiple post-authentication stack-based buffer overflow vulnerabilities in the
|
| 25 |
CVE-2025-54162
A path traversal vulnerability has been reported to affect File Station 5. If a
|
| 25 |
CVE-2026-22549
A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow ex
|
| 25 |
CVE-2025-13681
The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Trav
|
| 25 |
CVE-2026-3523
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the
|
| 25 |
CVE-2025-15487
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all ve
|
| 25 |
CVE-2026-28078
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') v
|
| 25 |
CVE-2026-3474
The EmailKit - Email Customizer for WooCommerce & WP plugin for WordPress is vul
|
| 25 |
CVE-2026-26936
Inefficient Regular Expression Complexity (CWE-1333) in the AI Inference Anonymi
|
| 25 |
CVE-2026-22728
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during
the secre
|
| 25 |
CVE-2026-20148
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, rem
|
| 25 |
CVE-2026-27807
MarkUs is a web application for the submission and grading of student assignment
|
| 25 |
CVE-2026-29131
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a spec
|
| 25 |
CVE-2026-33531
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6,
|
| 25 |
CVE-2026-26228
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulner
|
| 25 |
CVE-2026-29791
Agentgateway is an open source data plane for agentic AI connectivity within or
|
| 25 |
CVE-2026-29101
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 25 |
CVE-2026-20003
A vulnerability in the REST API of Cisco Secure FMC Software could allow an auth
|
| 25 |
CVE-2025-15332
Tanium addressed an information disclosure vulnerability in Threat Response.
|
| 25 |
CVE-2025-15329
Tanium addressed an information disclosure vulnerability in Threat Response.
|
| 25 |
CVE-2025-36348
IBM Sterling B2B Integrator versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through
|
| 25 |
CVE-2025-58471
An allocation of resources without limits or throttling vulnerability has been r
|
| 25 |
CVE-2025-58472
A NULL pointer dereference vulnerability has been reported to affect Qsync Centr
|
| 25 |
CVE-2026-29098
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 25 |
CVE-2025-57711
An allocation of resources without limits or throttling vulnerability has been r
|
| 25 |
CVE-2025-57710
An allocation of resources without limits or throttling vulnerability has been r
|
| 25 |
CVE-2025-54155
An allocation of resources without limits or throttling vulnerability has been r
|
| 25 |
CVE-2026-28270
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerabili
|
| 25 |
CVE-2026-26948
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.1
|
| 25 |
CVE-2026-20174
A vulnerability in the Metadata update feature of Cisco Nexus Dashboard Insights
|
| 25 |
CVE-2026-34389
Fleet is open source device management software. Prior to 4.81.0, Fleet containe
|
| 25 |
CVE-2026-30889
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 25 |
CVE-2026-29180
Fleet is open source device management software. Prior to 4.81.1, a broken acces
|
| 25 |
CVE-2026-35234
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pa
|
| 25 |
CVE-2026-3116
Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to valid
|
| 25 |
CVE-2026-21998
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-22002
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-22004
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
|
| 25 |
CVE-2026-22005
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-35240
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-35239
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DM
|
| 25 |
CVE-2026-35238
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
|
| 25 |
CVE-2026-34267
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-35237
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
|
| 25 |
CVE-2026-35236
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
|
| 25 |
CVE-2026-35235
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GI
|
| 25 |
CVE-2026-23797
In Quick.Cart user passwords are stored in plaintext form. An attacker with high
|
| 25 |
CVE-2026-34278
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Op
|
| 25 |
CVE-2026-22319
A stack-based buffer overflow in the device's file installation workflow allows
|
| 25 |
CVE-2026-34293
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DM
|
| 25 |
CVE-2026-22318
A stack-based buffer overflow vulnerability in the device's file transfer parame
|
| 25 |
CVE-2026-34304
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
|
| 25 |
CVE-2026-33162
### Summary
An authenticated control panel user with only accessCp can move ent
|
| 25 |
CVE-2026-3344
A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fi
|
| 25 |
CVE-2026-25772
Wazuh is a free and open source platform used for threat prevention, detection,
|
| 25 |
CVE-2026-1370
The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-
|
| 25 |
CVE-2026-22821
mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possibl
|
| 25 |
CVE-2026-34608
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to v
|
| 25 |
CVE-2026-1258
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the
|
| 25 |
CVE-2026-0871
A flaw was found in Keycloak. An administrator with `manage-users` permission ca
|
| 25 |
CVE-2026-0816
The All push notification for WP plugin for WordPress is vulnerable to time-base
|
| 25 |
CVE-2026-27673
Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise)
|
| 25 |
CVE-2025-41759
An administrator may attempt to block all networks by specifying "\*" or "all" a
|
| 25 |
CVE-2026-2831
The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘lo
|
| 25 |
CVE-2026-2389
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to S
|
| 25 |
CVE-2025-41760
An administrator may attempt to block all traffic by configuring a pass filter w
|
| 25 |
CVE-2025-8781
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vuln
|
| 25 |
CVE-2026-29092
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerabili
|
| 25 |
CVE-2026-34164
### Summary
The `InboxHandlingService` logs the full content of every incoming
|
| 25 |
CVE-2026-25310
Server-Side Request Forgery (SSRF) vulnerability in Alobaidi Extend Link extend-
|
| 25 |
CVE-2026-27162
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20
|
| 25 |
CVE-2026-22203
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that all
|
| 25 |
CVE-2026-4819
In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature m
|
| 25 |
CVE-2026-32879
New API is a large language mode (LLM) gateway and artificial intelligence (AI)
|
| 25 |
CVE-2026-2376
A flaw was found in mirror-registry where an authenticated user can trick the sy
|
| 25 |
CVE-2026-2429
The Community Events plugin for WordPress is vulnerable to SQL Injection via the
|
| 25 |
CVE-2026-33222
### Background
NATS.io is a high performance open source pub-sub distributed co
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |