Total CVEs
16149
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3221
public exploits
Unpatched
4246
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 24 |
CVE-2025-6594
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 24 |
CVE-2025-6595
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 24 |
CVE-2025-22885
Improper buffer restrictions in the firmware for the TDX Module may allow an esc
|
| 24 |
CVE-2026-32290
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of
|
| 24 |
CVE-2026-34857
UAF vulnerability in the communication module.
Impact: Successful exploitation o
|
| 24 |
CVE-2026-28551
Race condition vulnerability in the device security management module. Impact: S
|
| 23 |
CVE-2026-26175
Use of uninitialized resource in Windows Boot Manager allows an unauthorized att
|
| 23 |
CVE-2026-20928
Improper removal of sensitive information before storage or transfer in Windows
|
| 23 |
CVE-2026-39417
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 23 |
CVE-2025-52628
HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vu
|
| 23 |
CVE-2026-33699
### Impact
An attacker who uses this vulnerability can craft a PDF which leads
|
| 23 |
CVE-2026-39345
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to
|
| 23 |
CVE-2026-28856
The issue was addressed with improved authentication. This issue is fixed in iOS
|
| 23 |
CVE-2026-30613
An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16a
|
| 23 |
CVE-2026-22154
An improper neutralization of input during web page generation ('cross-site scri
|
| 23 |
CVE-2025-66488
Discourse is an open source discussion platform. A vulnerability present in vers
|
| 23 |
CVE-2026-30974
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config optio
|
| 23 |
CVE-2026-26272
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a sto
|
| 23 |
CVE-2026-33653
Ulloady is a file uploader script with multi-file upload support. A Stored Cross
|
| 23 |
CVE-2026-33193
Docmost is open-source collaborative wiki and documentation software. Versions p
|
| 23 |
CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of
|
| 23 |
CVE-2026-1628
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting na
|
| 23 |
CVE-2026-30913
Flarum is open-source forum software. When the flarum/nicknames extension is ena
|
| 23 |
CVE-2026-39946
OpenBao is an open source identity-based secrets management system. Prior to ver
|
| 23 |
CVE-2025-15543
Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted
|
| 23 |
CVE-2026-1763
Vulnerability in GE Vernova Enervista UR Setup on Windows.This issue affects Ene
|
| 23 |
CVE-2025-69893
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic pro
|
| 23 |
CVE-2025-11563
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving
|
| 23 |
CVE-2026-28895
The issue was addressed with improved checks. This issue is fixed in iOS 26.4 an
|
| 23 |
CVE-2026-27659
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.
|
| 23 |
CVE-2025-9226
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to
|
| 23 |
CVE-2026-20674
A privacy issue was addressed by removing sensitive data. This issue is fixed in
|
| 23 |
CVE-2026-20640
An inconsistent user interface issue was addressed with improved state managemen
|
| 23 |
CVE-2026-20645
An inconsistent user interface issue was addressed with improved state managemen
|
| 23 |
CVE-2026-1094
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8
|
| 23 |
CVE-2026-20662
An authorization issue was addressed with improved state management. This issue
|
| 23 |
CVE-2026-20661
An authorization issue was addressed with improved state management. This issue
|
| 23 |
CVE-2026-32040
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in
|
| 23 |
CVE-2026-26070
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a dat
|
| 23 |
CVE-2026-34382
Admidio is an open-source user management solution. From version 5.0.0 to before
|
| 23 |
CVE-2025-67723
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.1
|
| 23 |
CVE-2026-20435
In preloader, there is a possible read of device unique identifiers due to a log
|
| 23 |
CVE-2026-29084
Gokapi is a self-hosted file sharing server with automatic expiration and encryp
|
| 23 |
CVE-2026-22625
Improper handling of filenames in certain HIKSEMI NAS products may lead to the e
|
| 23 |
CVE-2025-12757
An AXIS Camera Station Pro feature can be exploited in a way that allows a non-a
|
| 23 |
CVE-2026-20605
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 23 |
CVE-2026-24007
Tuleap is an Open Source Suite for management of software development and collab
|
| 23 |
CVE-2026-3219
pip handles concatenated tar and ZIP files as ZIP files regardless of filename o
|
| 23 |
CVE-2026-32904
OpenClaw before 2026.2.26 contains an authorization bypass vulnerability in grou
|
| 23 |
CVE-2026-25135
OpenEMR is a free and open source electronic health records and medical practice
|
| 23 |
CVE-2025-52626
A Potential Command Injection vulnerability in HCL AION.
An This can allow un
|
| 23 |
CVE-2026-22220
A lack of proper input validation in the HTTP processing path in TP-Link Archer
|
| 23 |
CVE-2026-25590
The GLPI Inventory Plugin handles network discovery, inventory, software deploym
|
| 23 |
CVE-2026-6060
A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncont
|
| 23 |
CVE-2025-52637
HCL AION is affected by a vulnerability where certain offering configurations ma
|
| 23 |
CVE-2026-6058
**UNSUPPORTED WHEN ASSIGNED** An improper encoding or escaping vulnerability in
|
| 23 |
CVE-2026-31066
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31065
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
|
| 23 |
CVE-2026-31058
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31060
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31063
UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31061
UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer ove
|
| 23 |
CVE-2026-31062
UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow
|
| 23 |
CVE-2026-34384
Admidio is an open-source user management solution. Prior to version 5.0.8, the
|
| 23 |
CVE-2026-33306
### Impact
An integer overflow in the Java BCrypt implementation for JRuby can
|
| 23 |
CVE-2025-13064
A server-side injection was possible for a malicious admin to manipulate the app
|
| 22 |
CVE-2026-33326
# Summary
`{field}.isFilterable` access control can be bypassed in `findMany`
|
| 22 |
CVE-2026-1735
A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue
|
| 22 |
CVE-2026-39864
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.
|
| 22 |
CVE-2026-23685
Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attack
|
| 22 |
CVE-2026-27906
Improper input validation in Windows Hello allows an authorized attacker to bypa
|
| 22 |
CVE-2026-1304
The Membership Plugin - Restrict Content for WordPress is vulnerable to Stored C
|
| 22 |
CVE-2026-1266
The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 22 |
CVE-2026-32220
Improper access control in Windows Virtualization-Based Security (VBS) Enclave a
|
| 22 |
CVE-2026-1300
The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 22 |
CVE-2026-1649
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 22 |
CVE-2026-1047
The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Si
|
| 22 |
CVE-2026-1043
The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cr
|
| 22 |
CVE-2026-1191
The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site
|
| 22 |
CVE-2026-4161
The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cros
|
| 22 |
CVE-2026-2027
The AMP Enhancer - Compatibility Layer for Official AMP Plugin for WordPress is
|
| 22 |
CVE-2025-13333
IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected
|
| 22 |
CVE-2026-2281
The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 22 |
CVE-2026-0693
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to St
|
| 22 |
CVE-2025-15483
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 22 |
CVE-2026-0815
The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 22 |
CVE-2025-13981
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripti
|
| 22 |
CVE-2026-2489
The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 22 |
CVE-2026-0735
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site
|
| 22 |
CVE-2026-2716
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |