Total CVEs
16225
last 90 days
Avg Priority
36.4
of max 220
KEV
40
actively exploited
POC
3221
public exploits
Unpatched
4330
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-32358
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-40745
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-5301
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthe
|
| 38 |
CVE-2026-35568
### Summary
The java-sdk contains a DNS rebinding vulnerability. This vulnerabi
|
| 38 |
CVE-2025-7760
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 38 |
CVE-2026-32303
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version
|
| 38 |
CVE-2026-2469
Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to
|
| 38 |
CVE-2025-40587
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5),
|
| 38 |
CVE-2026-32606
The default configuration of systemd-cryptenroll as used by IncusOS through mkos
|
| 38 |
CVE-2026-26322
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Ga
|
| 38 |
CVE-2025-8589
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site
|
| 38 |
CVE-2025-14914
IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a
|
| 38 |
CVE-2026-23775
Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD O
|
| 38 |
CVE-2026-24837
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 38 |
CVE-2026-24836
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 38 |
CVE-2026-5466
wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s`
|
| 38 |
CVE-2026-32317
Cryptomator for Android offers multi-platform transparent client-side encryption
|
| 38 |
CVE-2026-32318
Cryptomator for IOS offers multi-platform transparent client-side encryption for
|
| 38 |
CVE-2025-64487
Outline is a service that allows for collaborative documentation. Prior to 1.1.0
|
| 38 |
CVE-2026-5479
In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EV
|
| 38 |
CVE-2026-40882
### Summary
The Velbus asset import path parses attacker-controlled XML without
|
| 38 |
CVE-2026-32144
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_o
|
| 38 |
CVE-2026-5750
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 regi
|
| 38 |
CVE-2026-28429
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path
|
| 38 |
CVE-2026-40901
DataEase is an open-source data visualization and analytics platform. Versions 2
|
| 38 |
CVE-2026-35485
text-generation-webui is an open-source web interface for running Large Language
|
| 38 |
CVE-2026-34188
Improper Neutralization of Special Elements used in an OS Command vulnerability
|
| 38 |
CVE-2024-4027
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequ
|
| 38 |
CVE-2026-30996
An issue in the file handling logic of the component download.php of SAC-NFe v2.
|
| 38 |
CVE-2026-22205
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability cau
|
| 38 |
CVE-2025-61611
In modem, there is a possible improper input validation. This could lead to remo
|
| 38 |
CVE-2026-4155
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Informat
|
| 38 |
CVE-2026-2339
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Sof
|
| 38 |
CVE-2026-33013
Micronaut Framework is a JVM-based full stack Java framework designed for buildi
|
| 38 |
CVE-2026-33250
Freeciv21 is a free open source, turn-based, empire-building strategy game. Vers
|
| 38 |
CVE-2026-27282
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Inpu
|
| 38 |
CVE-2026-25071
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain
|
| 38 |
CVE-2026-33064
**Impact**
This is a NULL Pointer Dereference vulnerability leading to Denial
|
| 38 |
CVE-2025-69420
Issue summary: A type confusion vulnerability exists in the TimeStamp Response
v
|
| 38 |
CVE-2026-33485
## Summary
The RTMP `on_publish` callback at `plugin/Live/on_publish.php` is ac
|
| 38 |
CVE-2026-4157
ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vul
|
| 38 |
CVE-2026-34070
## Summary
Multiple functions in `langchain_core.prompts.loading` read files fr
|
| 38 |
CVE-2026-31882
# SSE Authentication Bypass in Basic Auth Mode
## Summary
When Dagu is configu
|
| 38 |
CVE-2026-30653
An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denia
|
| 38 |
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still us
|
| 38 |
CVE-2026-1376
IBM i 7.6 could allow a remote attacker to cause a denial of service using faile
|
| 38 |
CVE-2025-46290
A logic issue was addressed with improved checks. This issue is fixed in macOS S
|
| 38 |
CVE-2026-1315
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C52
|
| 38 |
CVE-2026-29609
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability i
|
| 38 |
CVE-2026-32931
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an
|
| 38 |
CVE-2026-25673
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4
|
| 38 |
CVE-2026-3222
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection
|
| 38 |
CVE-2026-21511
Deserialization of untrusted data in Microsoft Office Outlook allows an unauthor
|
| 38 |
CVE-2025-61616
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-69278
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-69279
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61614
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61615
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61612
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2025-61613
In nr modem, there is a possible system crash due to improper input validation.
|
| 38 |
CVE-2026-26154
Improper input validation in Windows Server Update Service allows an unauthorize
|
| 38 |
CVE-2026-20652
The issue was addressed with improved memory handling. This issue is fixed in ma
|
| 38 |
CVE-2026-33483
## Summary
The `aVideoEncoderChunk.json.php` endpoint is a completely standalon
|
| 38 |
CVE-2026-1557
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in
|
| 38 |
CVE-2026-30846
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 throug
|
| 38 |
CVE-2026-24609
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-24608
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-25027
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2025-10990
A flaw was found in REXML. A remote attacker could exploit inefficient regular e
|
| 38 |
CVE-2024-54263
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-20401
In Modem, there is a possible system crash due to an uncaught exception. This co
|
| 38 |
CVE-2026-24635
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exist
|
| 38 |
CVE-2026-0560
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms ver
|
| 38 |
CVE-2026-22179
OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an al
|
| 38 |
CVE-2026-1988
The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulner
|
| 38 |
CVE-2026-27623
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior
|
| 38 |
CVE-2026-0109
In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due t
|
| 38 |
CVE-2026-28276
Initiative is a self-hosted project management platform. An access control vulne
|
| 38 |
CVE-2026-0599
A vulnerability in huggingface/text-generation-inference version 3.3.6 allows un
|
| 38 |
CVE-2026-32241
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel
|
| 38 |
CVE-2026-32130
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.
|
| 38 |
CVE-2026-28039
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27343
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27052
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-25326
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-27633
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prio
|
| 38 |
CVE-2026-27630
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prio
|
| 38 |
CVE-2025-70084
Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain a
|
| 38 |
CVE-2026-1708
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin p
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |