Total CVEs
16038
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3214
public exploits
Unpatched
4155
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 24 |
CVE-2026-23752
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability
|
| 24 |
CVE-2026-32012
OpenClaw before 2026.2.25 lacks durable replay state for Nextcloud Talk webhook
|
| 24 |
CVE-2026-33598
A cached crafted response can cause an out-of-bounds read if custom Lua code cal
|
| 24 |
CVE-2026-23753
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability
|
| 24 |
CVE-2026-27101
Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application version(s) 5.28.
|
| 24 |
CVE-2026-26079
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She
|
| 24 |
CVE-2026-21359
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15,
|
| 24 |
CVE-2026-4406
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scr
|
| 24 |
CVE-2025-2204
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 24 |
CVE-2026-1445
A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca3781046
|
| 24 |
CVE-2026-3714
A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is th
|
| 24 |
CVE-2026-24771
Hono is a Web application framework that provides support for any JavaScript run
|
| 24 |
CVE-2026-22269
Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Imprope
|
| 24 |
CVE-2025-36597
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Lim
|
| 24 |
CVE-2026-4564
A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. T
|
| 24 |
CVE-2026-1517
A vulnerability was identified in iomad up to 5.0. Affected is an unknown functi
|
| 24 |
CVE-2025-69725
An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes functio
|
| 24 |
CVE-2026-34561
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 24 |
CVE-2026-34562
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 24 |
CVE-2026-23110
In the Linux kernel, the following vulnerability has been resolved:
scsi: core:
|
| 24 |
CVE-2026-23071
In the Linux kernel, the following vulnerability has been resolved:
regmap: Fix
|
| 24 |
CVE-2026-34298
Vulnerability in the Oracle Applications Framework product of Oracle E-Business
|
| 24 |
CVE-2026-23167
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: F
|
| 24 |
CVE-2026-32106
StudioCMS is a server-side-rendered, Astro native, headless content management s
|
| 24 |
CVE-2026-25392
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoder
|
| 24 |
CVE-2026-28106
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugi
|
| 24 |
CVE-2025-62320
HTML Injection can be carried out in Product when a web application does not pro
|
| 24 |
CVE-2026-40301
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10
|
| 24 |
CVE-2026-3213
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 24 |
CVE-2026-33916
## Summary
`resolvePartial()` in the Handlebars runtime resolves partial names
|
| 24 |
CVE-2025-0976
Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manag
|
| 24 |
CVE-2026-35404
Open edX Platform enables the authoring and delivery of online learning at any s
|
| 24 |
CVE-2026-32932
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
|
| 24 |
CVE-2025-67807
The login mechanism of Sage DPW 2025_06_004 displays distinct responses for vali
|
| 24 |
CVE-2026-34773
### Impact
On Windows, `app.setAsDefaultProtocolClient(protocol)` did not valida
|
| 24 |
CVE-2026-34847
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.
|
| 24 |
CVE-2026-4471
A weakness has been identified in itsourcecode Online Frozen Foods Ordering Syst
|
| 24 |
CVE-2026-4473
A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.
|
| 24 |
CVE-2026-4469
A vulnerability was identified in itsourcecode Online Frozen Foods Ordering Syst
|
| 24 |
CVE-2026-4470
A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering
|
| 24 |
CVE-2026-1277
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all vers
|
| 24 |
CVE-2026-23004
In the Linux kernel, the following vulnerability has been resolved:
dst: fix ra
|
| 24 |
CVE-2025-14923
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphe
|
| 24 |
CVE-2026-32234
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 24 |
CVE-2026-23212
In the Linux kernel, the following vulnerability has been resolved:
bonding: an
|
| 24 |
CVE-2026-23115
In the Linux kernel, the following vulnerability has been resolved:
serial: Fix
|
| 24 |
CVE-2026-23126
In the Linux kernel, the following vulnerability has been resolved:
netdevsim:
|
| 24 |
CVE-2026-23207
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra2
|
| 24 |
CVE-2026-37346
SourceCodester Payroll Management and Information System v1.0 is vulnerable to S
|
| 24 |
CVE-2026-23210
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix PT
|
| 24 |
CVE-2026-23153
In the Linux kernel, the following vulnerability has been resolved:
firewire: c
|
| 24 |
CVE-2026-3202
NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of ser
|
| 24 |
CVE-2026-21517
Improper link resolution before file access ('link following') in Windows App fo
|
| 24 |
CVE-2026-23118
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix
|
| 24 |
CVE-2026-21006
Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows ph
|
| 24 |
CVE-2026-20060
A vulnerability in the web-based management interface of Cisco Unity Connection
|
| 24 |
CVE-2026-39484
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel
|
| 24 |
CVE-2025-68160
Issue summary: Writing large, newline-free data into a BIO chain using the
line-
|
| 24 |
CVE-2026-22266
Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Imprope
|
| 24 |
CVE-2026-32953
## Impact
Some specific (1 out of 256) User Supplied Secrets (USS) were not use
|
| 24 |
CVE-2026-22986
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: fi
|
| 24 |
CVE-2025-52643
HCL AION is affected by a vulnerability where untrusted file parsing operations
|
| 24 |
CVE-2026-22561
Uncontrolled search path elements in Anthropic Claude for Windows installer (Cla
|
| 24 |
CVE-2025-35992
Improper conditions check in some firmware for some Intel(R) NPU Drivers within
|
| 24 |
CVE-2026-2408
Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce c
|
| 24 |
CVE-2026-3580
In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optim
|
| 24 |
CVE-2026-1742
A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vu
|
| 24 |
CVE-2026-33711
Incus is a system container and virtual machine manager. Incus provides an API t
|
| 24 |
CVE-2026-27492
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1
|
| 24 |
CVE-2026-40223
In systemd 258 before 260, a local unprivileged user can trigger an assert when
|
| 24 |
CVE-2026-5721
The wpDataTables - WordPress Data Table, Dynamic Tables & Table Charts Plugin pl
|
| 24 |
CVE-2026-34446
Open Neural Network Exchange (ONNX) is an open standard for machine learning int
|
| 24 |
CVE-2026-27599
## Summary
### **Vulnerability: Stored DOM XSS via System Settings - Mail Settin
|
| 24 |
CVE-2026-25616
Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.
|
| 24 |
CVE-2026-33682
# Streamlit Open Source Security Advisory
## 1. Impacted Products
Streamlit Op
|
| 24 |
CVE-2026-25198
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an
|
| 24 |
CVE-2026-27456
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a
|
| 24 |
CVE-2026-3774
The application allows PDF JavaScript and document/print actions (such as WillPr
|
| 24 |
CVE-2026-24596
Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumb
|
| 24 |
CVE-2025-6595
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 24 |
CVE-2025-6594
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 24 |
CVE-2026-32290
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of
|
| 24 |
CVE-2025-22885
Improper buffer restrictions in the firmware for the TDX Module may allow an esc
|
| 24 |
CVE-2026-28551
Race condition vulnerability in the device security management module. Impact: S
|
| 24 |
CVE-2026-34857
UAF vulnerability in the communication module.
Impact: Successful exploitation o
|
| 23 |
CVE-2026-26175
Use of uninitialized resource in Windows Boot Manager allows an unauthorized att
|
| 23 |
CVE-2026-20928
Improper removal of sensitive information before storage or transfer in Windows
|
| 23 |
CVE-2026-39417
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 23 |
CVE-2025-52628
HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vu
|
| 23 |
CVE-2026-33699
### Impact
An attacker who uses this vulnerability can craft a PDF which leads
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4985d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |