Total CVEs
16292
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3219
public exploits
Unpatched
4399
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 25 |
CVE-2026-4853
The JetBackup - Backup, Restore & Migrate plugin for WordPress is vulnerable to
|
| 25 |
CVE-2026-28823
A path handling issue was addressed with improved validation. This issue is fixe
|
| 25 |
CVE-2026-39631
Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolp
|
| 25 |
CVE-2026-3221
Sensitive
user account information is not encrypted in the database in Devoluti
|
| 25 |
CVE-2026-22626
Due to insufficient input parameter validation on the interface, authenticated u
|
| 25 |
CVE-2026-39521
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content
|
| 25 |
CVE-2026-34061
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake pro
|
| 25 |
CVE-2026-32349
Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer
|
| 25 |
CVE-2026-20693
This issue was addressed through improved state management. This issue is fixed
|
| 25 |
CVE-2026-31799
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 25 |
CVE-2026-1224
Tanium addressed an uncontrolled resource consumption vulnerability in Discover.
|
| 25 |
CVE-2026-33158
### Summary
A low-privileged authenticated user can read private asset content
|
| 25 |
CVE-2026-3330
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via
|
| 25 |
CVE-2026-30228
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 25 |
CVE-2026-0806
The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'ord
|
| 25 |
CVE-2025-12772
Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on
|
| 25 |
CVE-2026-22692
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2025-12680
Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear tex
|
| 25 |
CVE-2026-29516
Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an
|
| 25 |
CVE-2026-25125
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 25 |
CVE-2026-30873
OpenWrt Project is a Linux operating system targeting embedded devices. In versi
|
| 25 |
CVE-2026-40962
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via
|
| 24 |
CVE-2026-25525
Magento Long Term Support (LTS) is an unofficial, community-driven project provi
|
| 24 |
CVE-2026-40175
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.
|
| 24 |
CVE-2026-33738
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the
|
| 24 |
CVE-2026-28475
OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for
|
| 24 |
CVE-2025-0577
An insufficient entropy vulnerability was found in glibc. The getrandom and arc4
|
| 24 |
CVE-2026-25100
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload fu
|
| 24 |
CVE-2026-1001
Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerab
|
| 24 |
CVE-2026-26717
An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The applicat
|
| 24 |
CVE-2026-21291
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 24 |
CVE-2026-1787
The LearnPress Export Import - WordPress extension for LearnPress plugin for Wor
|
| 24 |
CVE-2026-24147
NVIDIA Triton Inference Server contains a vulnerability in triton server where a
|
| 24 |
CVE-2026-1356
The Converter for Media - Optimize images | Convert WebP & AVIF plugin for WordP
|
| 24 |
CVE-2026-31993
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulne
|
| 24 |
CVE-2025-41257
Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without
|
| 24 |
CVE-2026-4816
A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support B
|
| 24 |
CVE-2026-3024
Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, s
|
| 24 |
CVE-2026-27974
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scrip
|
| 24 |
CVE-2025-70336
A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in P
|
| 24 |
CVE-2025-62184
Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site
|
| 24 |
CVE-2026-3468
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Son
|
| 24 |
CVE-2026-1711
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site
|
| 24 |
CVE-2026-4433
An SSH misconfigurations exists in Tenable OT that led to the potential exfiltra
|
| 24 |
CVE-2026-33621
### Summary
PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-thrott
|
| 24 |
CVE-2026-31867
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0
|
| 24 |
CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2026-39410
## Summary
A discrepancy between browser cookie parsing and `parse()` handling
|
| 24 |
CVE-2026-1553
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Br
|
| 24 |
CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before versio
|
| 24 |
CVE-2026-28692
ImageMagick is free and open-source software used for editing and manipulating d
|
| 24 |
CVE-2026-33869
Mastodon is a free, open-source social network server based on ActivityPub. In v
|
| 24 |
CVE-2026-32031
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypa
|
| 24 |
CVE-2026-20111
A vulnerability in the web-based management interface of Cisco Prime Infrastruct
|
| 24 |
CVE-2026-41297
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2026-20091
A vulnerability in the web-based management interface of Cisco FXOS Software and
|
| 24 |
CVE-2026-41302
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2025-53608
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 24 |
CVE-2025-70973
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSES
|
| 24 |
CVE-2026-20088
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20087
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20089
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-0947
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-20090
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20132
Multiple vulnerabilities in the web-based management interface of Cisco Identity
|
| 24 |
CVE-2026-31823
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored
|
| 24 |
CVE-2026-27447
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 24 |
CVE-2026-24621
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 24 |
CVE-2026-34321
Vulnerability in the Oracle Financial Services Analytical Applications Infrastru
|
| 24 |
CVE-2026-20112
A vulnerability in the web-based Cisco IOx application hosting environment manag
|
| 24 |
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If
|
| 24 |
CVE-2026-5647
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affect
|
| 24 |
CVE-2025-2274
Improper Neutralization of Input During Web Page Generation in Forcepoint Web Se
|
| 24 |
CVE-2025-66486
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote
|
| 24 |
CVE-2026-25004
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 24 |
CVE-2026-3218
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2025-40895
A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map fun
|
| 24 |
CVE-2025-63354
Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option whe
|
| 24 |
CVE-2026-39812
A improper neutralization of input during web page generation ('cross-site scrip
|
| 24 |
CVE-2026-34831
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 24 |
CVE-2026-34441
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 24 |
CVE-2026-32762
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2024-51223
A stored cross-site scripting (XSS) vulnerability in the component /admin/profil
|
| 24 |
CVE-2026-33732
## Summary
A pathname parsing discrepancy in srvx's `FastURL` allows middleware
|
| 24 |
CVE-2024-51224
Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit
|
| 24 |
CVE-2024-51225
A stored cross-site scripting (XSS) vulnerability in the component /admin/add-br
|
| 24 |
CVE-2024-51222
A stored cross-site scripting (XSS) vulnerability in the component /admin/profil
|
| 24 |
CVE-2026-31813
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prio
|
| 24 |
CVE-2026-31351
An authenticated stored cross-site scripting (XSS) vulnerability in the creation
|
| 24 |
CVE-2026-35571
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache n
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3762d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |