Total CVEs
15954
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3202
public exploits
Unpatched
4066
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 24 |
CVE-2026-1553
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Br
|
| 24 |
CVE-2026-28692
ImageMagick is free and open-source software used for editing and manipulating d
|
| 24 |
CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before versio
|
| 24 |
CVE-2026-33869
Mastodon is a free, open-source social network server based on ActivityPub. In v
|
| 24 |
CVE-2026-32031
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypa
|
| 24 |
CVE-2026-20091
A vulnerability in the web-based management interface of Cisco FXOS Software and
|
| 24 |
CVE-2026-20111
A vulnerability in the web-based management interface of Cisco Prime Infrastruct
|
| 24 |
CVE-2026-41297
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2026-41302
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability i
|
| 24 |
CVE-2026-40606
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration t
|
| 24 |
CVE-2025-70973
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSES
|
| 24 |
CVE-2025-53608
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scri
|
| 24 |
CVE-2026-20087
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20089
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-0947
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-20132
Multiple vulnerabilities in the web-based management interface of Cisco Identity
|
| 24 |
CVE-2026-20088
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-20090
A vulnerability in the web-based management interface of Cisco IMC could allow a
|
| 24 |
CVE-2026-31823
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored
|
| 24 |
CVE-2026-24621
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 24 |
CVE-2026-34321
Vulnerability in the Oracle Financial Services Analytical Applications Infrastru
|
| 24 |
CVE-2026-26291
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If
|
| 24 |
CVE-2026-27447
OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik
|
| 24 |
CVE-2026-20112
A vulnerability in the web-based Cisco IOx application hosting environment manag
|
| 24 |
CVE-2025-66486
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote
|
| 24 |
CVE-2025-2274
Improper Neutralization of Input During Web Page Generation in Forcepoint Web Se
|
| 24 |
CVE-2026-5647
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affect
|
| 24 |
CVE-2025-40895
A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map fun
|
| 24 |
CVE-2026-25004
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 24 |
CVE-2025-63354
Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option whe
|
| 24 |
CVE-2026-3218
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-34441
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 24 |
CVE-2026-34831
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a
|
| 24 |
CVE-2026-32762
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before
|
| 24 |
CVE-2026-4169
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is
|
| 24 |
CVE-2026-39812
A improper neutralization of input during web page generation ('cross-site scrip
|
| 24 |
CVE-2026-31351
An authenticated stored cross-site scripting (XSS) vulnerability in the creation
|
| 24 |
CVE-2026-35571
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache n
|
| 24 |
CVE-2024-51224
Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit
|
| 24 |
CVE-2024-51225
A stored cross-site scripting (XSS) vulnerability in the component /admin/add-br
|
| 24 |
CVE-2026-33732
## Summary
A pathname parsing discrepancy in srvx's `FastURL` allows middleware
|
| 24 |
CVE-2026-31813
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prio
|
| 24 |
CVE-2024-51222
A stored cross-site scripting (XSS) vulnerability in the component /admin/profil
|
| 24 |
CVE-2024-51223
A stored cross-site scripting (XSS) vulnerability in the component /admin/profil
|
| 24 |
CVE-2026-4165
A vulnerability has been found in Worksuite HR, CRM and Project Management up to
|
| 24 |
CVE-2026-22751
Vulnerability in Spring Spring Security. Applications that explicitly configure
|
| 24 |
CVE-2026-2485
IBM Infosphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to sto
|
| 24 |
CVE-2026-2721
The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 24 |
CVE-2026-25101
Bludit allows user's session identifier to be set before authentication. The val
|
| 24 |
CVE-2026-2722
The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 24 |
CVE-2026-31890
Inspektor Gadget is a set of tools and framework for data collection and system
|
| 24 |
CVE-2026-26351
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site
|
| 24 |
CVE-2026-28714
Unnecessary transmission of sensitive cryptographic material. The following prod
|
| 24 |
CVE-2026-4010
A vulnerability was found in ThakeeNathees pocketlang up to cc73ca61b113d48ee130
|
| 24 |
CVE-2026-33205
calibre is a cross-platform e-book manager for viewing, converting, editing, and
|
| 24 |
CVE-2026-3407
A vulnerability was determined in YosysHQ yosys up to 0.62. This affects the fun
|
| 24 |
CVE-2026-3994
A vulnerability was detected in rui314 mold up to 2.40.4. This issue affects the
|
| 24 |
CVE-2026-20993
Improper export of android application components in Samsung Assistant prior to
|
| 24 |
CVE-2026-35206
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 a
|
| 24 |
CVE-2026-40026
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in th
|
| 24 |
CVE-2026-40025
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in th
|
| 24 |
CVE-2026-6042
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the fu
|
| 24 |
CVE-2026-24398
Hono is a Web application framework that provides support for any JavaScript run
|
| 24 |
CVE-2026-3979
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the funct
|
| 24 |
CVE-2026-4016
A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this v
|
| 24 |
CVE-2026-4015
A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin
|
| 24 |
CVE-2026-4009
A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is
|
| 24 |
CVE-2026-3707
A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected eleme
|
| 24 |
CVE-2026-6830
nesquena hermes-webui contains an environment variable leakage vulnerability whe
|
| 24 |
CVE-2026-34450
The Claude SDK for Python provides access to the Claude API from Python applicat
|
| 24 |
CVE-2026-5185
A security flaw has been discovered in Nothings stb_image up to 2.30. This affec
|
| 24 |
CVE-2026-3667
A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The
|
| 24 |
CVE-2026-40505
MuPDF mutool does not sanitize PDF metadata fields before writing them to termin
|
| 24 |
CVE-2026-5186
A weakness has been identified in Nothings stb up to 2.30. This impacts the func
|
| 24 |
CVE-2026-3675
A vulnerability was determined in Freedom Factory dGEN1 up to 20260221. Affected
|
| 24 |
CVE-2026-3674
A vulnerability was found in Freedom Factory dGEN1 up to 20260221. Affected by t
|
| 24 |
CVE-2026-3670
A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected i
|
| 24 |
CVE-2026-3669
A security vulnerability has been detected in Freedom Factory dGEN1 up to 202602
|
| 24 |
CVE-2026-25133
October is a Content Management System (CMS) and web platform. Versions prior to
|
| 24 |
CVE-2026-33472
Cryptomator is an open-source client-side encryption application for cloud stora
|
| 24 |
CVE-2026-24325
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inpu
|
| 24 |
CVE-2026-24594
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 24 |
CVE-2026-27854
An attacker might be able to trigger a use-after-free by sending crafted DNS que
|
| 24 |
CVE-2025-52648
HCL AION is affected by a vulnerability where offering images are not digitally
|
| 24 |
CVE-2026-39391
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 24 |
CVE-2026-40593
ChurchCRM is an open-source church management system. In versions prior to 7.2.0
|
| 24 |
CVE-2026-27126
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.1
|
| 24 |
CVE-2026-29176
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored
|
| 24 |
CVE-2026-27128
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.1
|
| 24 |
CVE-2026-24921
Address read vulnerability in the HDC module.
Impact: Successful exploitation of
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |