Total CVEs
16268
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3221
public exploits
Unpatched
4364
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 22 |
CVE-2026-2289
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 22 |
CVE-2026-3577
The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 22 |
CVE-2026-5383
An issue that could allow access to Explorer groups from outside of the authoriz
|
| 22 |
CVE-2026-2121
The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 22 |
CVE-2026-1044
The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 22 |
CVE-2026-5169
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored
|
| 22 |
CVE-2026-3574
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stor
|
| 22 |
CVE-2025-62856
A path traversal vulnerability has been reported to affect File Station 5. If a
|
| 22 |
CVE-2026-1302
The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site
|
| 22 |
CVE-2025-12451
The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 22 |
CVE-2026-1399
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cro
|
| 22 |
CVE-2026-2424
The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored C
|
| 22 |
CVE-2026-33395
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-late
|
| 22 |
CVE-2026-6439
The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting i
|
| 22 |
CVE-2026-2498
The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 22 |
CVE-2026-1055
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
|
| 22 |
CVE-2026-25428
Server-Side Request Forgery (SSRF) vulnerability in totalsoft TS Poll poll-wp al
|
| 22 |
CVE-2026-2002
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin f
|
| 22 |
CVE-2026-32119
OpenEMR is a free and open source electronic health records and medical practice
|
| 22 |
CVE-2025-12037
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to S
|
| 22 |
CVE-2026-22210
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows
|
| 22 |
CVE-2026-2292
The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 22 |
CVE-2026-32237
Backstage is an open framework for building developer portals. Prior to 3.1.5, a
|
| 22 |
CVE-2026-2499
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 22 |
CVE-2026-2282
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 22 |
CVE-2026-2396
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross
|
| 22 |
CVE-2026-26998
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 an
|
| 22 |
CVE-2026-2838
The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Sto
|
| 22 |
CVE-2026-3353
The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 22 |
CVE-2026-2420
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 22 |
CVE-2026-3354
The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 22 |
CVE-2026-1247
The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via
|
| 22 |
CVE-2026-1278
The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 22 |
CVE-2026-1071
The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 22 |
CVE-2026-2837
The Ricerca - advanced search plugin for WordPress is vulnerable to Stored Cross
|
| 22 |
CVE-2026-21007
Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 R
|
| 22 |
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPre
|
| 22 |
CVE-2026-6712
The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 22 |
CVE-2026-2432
The CM Custom Reports - Flexible reporting to track what matters most plugin for
|
| 22 |
CVE-2026-4142
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vul
|
| 22 |
CVE-2026-33601
If you use the zoneToCache function with a malicious authoritative server, an at
|
| 22 |
CVE-2026-33600
An RPZ sent by a malicious authoritative server can result in a null pointer der
|
| 22 |
CVE-2026-20445
In MDDP, there is a possible system crash due to a race condition. This could le
|
| 22 |
CVE-2026-3362
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site
|
| 22 |
CVE-2026-3995
The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 22 |
CVE-2026-3551
The Custom New User Notification plugin for WordPress is vulnerable to Stored Cr
|
| 22 |
CVE-2026-20603
This issue was addressed with improved redaction of sensitive information. This
|
| 22 |
CVE-2026-22285
Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintex
|
| 22 |
CVE-2025-62855
A path traversal vulnerability has been reported to affect File Station 5. If a
|
| 22 |
CVE-2025-11790
Credentials are not deleted from Acronis Agent after plan revocation. The follow
|
| 22 |
CVE-2025-32007
Out-of-bounds read for some TDX before version tdx module 1.5.24 within Ring 0:
|
| 22 |
CVE-2025-30413
Credentials are not deleted from Acronis Agent after plan revocation. The follow
|
| 22 |
CVE-2026-20037
A vulnerability in the NX-OS CLI privilege levels of Cisco UCS Manager Software
|
| 22 |
CVE-2026-34726
### Summary
Copier's `_subdirectory` setting is documented as the subdirectory
|
| 22 |
CVE-2026-2817
Use of insecure directory in Spring Data Geode snapshot import extracts archives
|
| 22 |
CVE-2026-28716
Information disclosure and manipulation due to improper authorization checks. Th
|
| 22 |
CVE-2026-20609
The issue was addressed with improved memory handling. This issue is fixed in wa
|
| 22 |
CVE-2026-28417
Vim is an open source, command line text editor. Prior to version 9.2.0073, an O
|
| 22 |
CVE-2026-30935
ImageMagick is free and open-source software used for editing and manipulating d
|
| 22 |
CVE-2026-1084
The Cookie consent for developers plugin for WordPress is vulnerable to Stored C
|
| 22 |
CVE-2026-20991
Improper privilege management in ThemeManager prior to SMR Mar-2026 Release 1 al
|
| 22 |
CVE-2026-0724
The WPlyr Media Block plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 22 |
CVE-2026-28265
PowerStore, contains a Path Traversal vulnerability in the Service user. A low p
|
| 22 |
CVE-2026-1083
The Appointment Hour Booking - Booking Calendar plugin for WordPress is vulnerab
|
| 22 |
CVE-2026-0681
The Extended Random Number Generator plugin for WordPress is vulnerable to Store
|
| 22 |
CVE-2026-32061
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in t
|
| 22 |
CVE-2026-1053
The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to
|
| 22 |
CVE-2026-0743
The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 22 |
CVE-2025-36105
IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could a
|
| 22 |
CVE-2025-36187
IBM Knowledge Catalog Standard Cartridge 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1,
|
| 22 |
CVE-2026-1381
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is
|
| 22 |
CVE-2025-13727
The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is
|
| 22 |
CVE-2026-1943
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to
|
| 22 |
CVE-2026-2719
The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 22 |
CVE-2026-6041
The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 22 |
CVE-2026-2714
The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site
|
| 22 |
CVE-2025-13919
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 P
|
| 22 |
CVE-2026-1379
The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripti
|
| 22 |
CVE-2026-20424
In display, there is a possible out of bounds read due to a missing bounds check
|
| 22 |
CVE-2026-22275
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior
|
| 22 |
CVE-2026-20429
In display, there is a possible out of bounds read due to a missing bounds check
|
| 22 |
CVE-2025-43935
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource
|
| 22 |
CVE-2026-22780
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Pri
|
| 22 |
CVE-2026-20442
In display, there is a possible system crash due to use after free. This could l
|
| 22 |
CVE-2026-27485
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/ski
|
| 22 |
CVE-2026-20439
In imgsys, there is a possible system crash due to use after free. This could le
|
| 22 |
CVE-2026-28543
Race condition vulnerability in the maintenance and diagnostics module. Impact:
|
| 22 |
CVE-2026-20437
In MAE, there is a possible system crash due to use after free. This could lead
|
| 22 |
CVE-2026-24511
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 t
|
| 22 |
CVE-2026-28420
Vim is an open source, command line text editor. Prior to version 9.2.0076, a he
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |