Total CVEs
16325
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3563
public exploits
Unpatched
5452
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 50 |
CVE-2026-32482
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona o
|
| 50 |
CVE-2026-25413
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WP
|
| 50 |
CVE-2026-0488
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could ex
|
| 50 |
CVE-2025-70983
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows
|
| 50 |
CVE-2026-0755
gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability.
|
| 50 |
CVE-2026-22172
OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerabili
|
| 50 |
CVE-2026-21410
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web in
|
| 50 |
CVE-2026-39888
## Summary
`execute_code()` in `praisonaiagents.tools.python_tools` defaults to
|
| 50 |
CVE-2026-33396
OneUptime is an open-source monitoring and observability platform. Prior to vers
|
| 50 |
CVE-2026-33502
### Summary
An unauthenticated server-side request forgery vulnerability in `plu
|
| 50 |
CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in th
|
| 50 |
CVE-2026-40089
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The S
|
| 49 |
CVE-2026-3060
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated
|
| 49 |
CVE-2025-13942
A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 fi
|
| 49 |
CVE-2026-3843
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux conta
|
| 49 |
CVE-2026-1357
The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress
|
| 49 |
CVE-2026-4003
The Users manager - PN plugin for WordPress is vulnerable to Privilege Escalatio
|
| 49 |
CVE-2025-10484
The Registration & Login with Mobile Phone Number for WooCommerce plugin for Wor
|
| 49 |
CVE-2025-59059
Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in
|
| 49 |
CVE-2026-31975
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Curso
|
| 49 |
CVE-2026-27476
RustFly 2.0.0 contains a command injection vulnerability in its remote UI contro
|
| 49 |
CVE-2026-21536
Microsoft Devices Pricing Program Remote Code Execution Vulnerability
|
| 49 |
CVE-2026-27194
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are
|
| 49 |
CVE-2026-27744
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remot
|
| 49 |
CVE-2026-32985
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbit
|
| 49 |
CVE-2026-30303
The command auto-approval module in Axon Code contains an OS Command Injection v
|
| 49 |
CVE-2025-69983
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functional
|
| 49 |
CVE-2026-23837
MyTube is a self-hosted downloader and player for several video websites. A vuln
|
| 49 |
CVE-2026-21531
Deserialization of untrusted data in Azure SDK allows an unauthorized attacker t
|
| 49 |
CVE-2026-23647
Glory RBG-100 recycler systems using the ISPK-08 software component contain hard
|
| 49 |
CVE-2024-55020
A command injection vulnerability in the DHCP activation feature of Weintek cMT-
|
| 49 |
CVE-2026-2628
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPres
|
| 49 |
CVE-2025-70831
A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /ph
|
| 49 |
CVE-2026-1729
The AdForest theme for WordPress is vulnerable to authentication bypass in all v
|
| 49 |
CVE-2026-26093
Improper Neutralization of Special Elements used in a Command ('Command Injectio
|
| 49 |
CVE-2026-2333
Improper Neutralization of Special Elements used in a Command ('Command Injectio
|
| 49 |
CVE-2026-30402
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbit
|
| 49 |
CVE-2026-39890
## Summary
The `AgentService.loadAgentFromFile` method uses the `js-yaml` librar
|
| 49 |
CVE-2025-62193
Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code e
|
| 49 |
CVE-2026-3535
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary
|
| 49 |
CVE-2026-21659
Unauthenticated Remote Code Execution and Information Disclosure due to Local Fi
|
| 49 |
CVE-2026-33057
#### Summary
An explicit web endpoint inside the `ai/` testing module infrastruc
|
| 49 |
CVE-2026-21628
A improperly secured file management feature allows uploads of dangerous data ty
|
| 49 |
CVE-2026-2096
Agentflow developed by Flowring has a Missing Authentication vulnerability, allo
|
| 49 |
CVE-2017-20224
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upl
|
| 49 |
CVE-2026-2249
METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at t
|
| 49 |
CVE-2026-2248
METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at t
|
| 49 |
CVE-2026-26830
pdf-image (npm package) through version 2.0.0 allows OS command injection via th
|
| 49 |
CVE-2025-66480
Wildfire IM is an instant messaging and real-time audio/video solution. Prior to
|
| 49 |
CVE-2026-33937
## Summary
`Handlebars.compile()` accepts a pre-parsed AST object in addition t
|
| 49 |
CVE-2026-21969
Vulnerability in the Oracle Agile Product Lifecycle Management for Process produ
|
| 49 |
CVE-2026-21658
Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code
|
| 49 |
CVE-2026-34243
#### Summary
A GitHub Actions workflow uses untrusted user input from `issue_co
|
| 49 |
CVE-2026-25072
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain
|
| 49 |
CVE-2025-37184
A vulnerability exists in an Orchestrator service that could allow an unauthenti
|
| 49 |
CVE-2026-1056
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file delet
|
| 49 |
CVE-2025-14532
DobryCMS's upload file functionality allows an unauthenticated remote attacker t
|
| 49 |
CVE-2025-59388
A use of hard-coded password vulnerability has been reported to affect Hyper Dat
|
| 49 |
CVE-2026-0926
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion
|
| 49 |
CVE-2026-28778
International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Recei
|
| 49 |
CVE-2025-69874
nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parse
|
| 49 |
CVE-2026-26793
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulner
|
| 49 |
CVE-2026-3300
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Executio
|
| 49 |
CVE-2026-3584
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in al
|
| 49 |
CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side
|
| 49 |
CVE-2026-26339
Hyland Alfresco Transformation Service allows unauthenticated attackers to achie
|
| 49 |
CVE-2026-3826
IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing
|
| 49 |
CVE-2026-27446
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache A
|
| 49 |
CVE-2026-2331
An attacker may perform unauthenticated read and write operations on sensitive f
|
| 49 |
CVE-2026-1405
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads d
|
| 49 |
CVE-2026-26832
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tessera
|
| 49 |
CVE-2026-22886
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requi
|
| 49 |
CVE-2026-3136
An improper authorization vulnerability in GitHub Trigger Comment Control in Goo
|
| 49 |
CVE-2026-22236
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVO
|
| 49 |
CVE-2026-22238
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVO
|
| 49 |
CVE-2026-1830
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution
|
| 49 |
CVE-2026-2631
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an una
|
| 49 |
CVE-2026-20160
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allo
|
| 49 |
CVE-2026-26795
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulner
|
| 49 |
CVE-2026-26791
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulner
|
| 49 |
CVE-2026-26792
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection
|
| 49 |
CVE-2026-26333
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoti
|
| 49 |
CVE-2026-32136
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to
|
| 49 |
CVE-2026-1358
Airleader Master versions 6.381 and prior allow for file uploads without
restri
|
| 49 |
CVE-2026-23944
Arcane is an interface for managing Docker containers, images, networks, and vol
|
| 49 |
CVE-2026-24531
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 49 |
CVE-2025-54003
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 49 |
CVE-2025-50003
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 49 |
CVE-2025-49994
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 49 |
CVE-2025-47474
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |