Total CVEs
16325
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3563
public exploits
Unpatched
5452
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 51 |
CVE-2026-30237
Group-Office is an enterprise customer relationship management and groupware too
|
| 51 |
CVE-2019-25426
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2019-25418
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2019-25424
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2026-27645
changedetection.io is a free open source web page change detection tool. In vers
|
| 51 |
CVE-2026-27120
Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htm
|
| 51 |
CVE-2026-27612
Repostat is a React component to fetch and display GitHub repository info. Prior
|
| 51 |
CVE-2019-25412
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2026-26023
Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross si
|
| 51 |
CVE-2026-28348
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml
|
| 51 |
CVE-2026-28350
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml
|
| 51 |
CVE-2019-25323
Heatmiser Netmonitor v3.03 contains an HTML injection vulnerability in the outpu
|
| 51 |
CVE-2019-25324
RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the add
|
| 51 |
CVE-2026-30563
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales
|
| 51 |
CVE-2026-32986
A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CM
|
| 51 |
CVE-2015-20116
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploa
|
| 51 |
CVE-2016-20036
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vu
|
| 51 |
CVE-2019-25370
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allow
|
| 51 |
CVE-2019-25409
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2019-25408
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2026-31807
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG
|
| 51 |
CVE-2026-31809
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG
|
| 51 |
CVE-2019-25406
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2019-25410
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerabili
|
| 51 |
CVE-2019-25294
html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that al
|
| 51 |
CVE-2026-30841
Wallos is an open-source, self-hostable personal subscription tracker. Prior to
|
| 51 |
CVE-2020-37111
60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php
|
| 51 |
CVE-2026-27176
MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting
|
| 51 |
CVE-2019-25380
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 51 |
CVE-2019-25449
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that all
|
| 51 |
CVE-2019-25384
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 51 |
CVE-2019-25381
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 51 |
CVE-2019-25385
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site
|
| 51 |
CVE-2019-25386
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 51 |
CVE-2019-25378
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple cross-site scr
|
| 51 |
CVE-2019-25383
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cros
|
| 51 |
CVE-2026-1411
A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected
|
| 51 |
CVE-2021-47768
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability i
|
| 51 |
CVE-2021-47841
SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows atta
|
| 51 |
CVE-2019-25375
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allow
|
| 51 |
CVE-2025-64736
An out-of-bounds read vulnerability exists in the ABF parsing functionality of T
|
| 51 |
CVE-2019-25376
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allow
|
| 51 |
CVE-2026-0521
A reflected cross-site scripting (XSS) vulnerability in the PDF export functiona
|
| 51 |
CVE-2021-47844
Xmind 2020 contains a cross-site scripting vulnerability that allows attackers t
|
| 51 |
CVE-2026-24768
NocoDB is software for building databases as spreadsheets. Prior to version 0.30
|
| 51 |
CVE-2025-70890
A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Managemen
|
| 51 |
CVE-2025-70891
A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Caf
|
| 51 |
CVE-2026-25651
client-certificate-auth is middleware for Node.js implementing client SSL certif
|
| 51 |
CVE-2025-65368
SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user inp
|
| 51 |
CVE-2025-70849
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to
|
| 51 |
CVE-2026-23645
SiYuan is self-hosted, open source personal knowledge management software. Prior
|
| 51 |
CVE-2026-23768
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side H
|
| 51 |
CVE-2026-25516
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the mar
|
| 51 |
CVE-2026-23730
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redi
|
| 51 |
CVE-2026-23729
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redi
|
| 51 |
CVE-2026-23728
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redi
|
| 51 |
CVE-2026-23726
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redi
|
| 51 |
CVE-2021-47836
Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allow
|
| 51 |
CVE-2025-15265
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to
|
| 51 |
CVE-2026-30830
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaT
|
| 51 |
CVE-2026-25154
LocalSend is a free, open-source app that allows users to share files and messag
|
| 51 |
CVE-2026-0749
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti
|
| 51 |
CVE-2025-70958
Multiple reflected cross-site scripting (XSS) vulnerabilities in the installatio
|
| 51 |
CVE-2026-27116
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 51 |
CVE-2025-69429
The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink F
|
| 51 |
CVE-2026-25578
Navidrome is an open source web-based music collection server and streamer. Prio
|
| 51 |
CVE-2019-25374
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allow
|
| 51 |
CVE-2020-36932
SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuse
|
| 51 |
CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize
|
| 51 |
CVE-2026-26987
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Ve
|
| 50 |
CVE-2025-69820
Directory Traversal vulnerability in Beam beta9 v.0.1.521 allows a remote attack
|
| 50 |
CVE-2026-32057
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerabil
|
| 50 |
CVE-2026-28208
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a bac
|
| 50 |
CVE-2026-27729
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions
|
| 50 |
CVE-2026-22851
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1
|
| 50 |
CVE-2026-32045
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale heade
|
| 50 |
CVE-2026-29076
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 50 |
CVE-2026-22819
Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a
|
| 50 |
CVE-2026-27482
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP ser
|
| 50 |
CVE-2026-30247
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 50 |
CVE-2026-27801
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, former
|
| 50 |
CVE-2025-15363
The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which c
|
| 50 |
CVE-2026-26311
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5,
|
| 50 |
CVE-2026-4603
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by ze
|
| 50 |
CVE-2026-26310
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5,
|
| 49 |
CVE-2026-5103
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This i
|
| 49 |
CVE-2026-5104
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b2022
|
| 49 |
CVE-2026-5102
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. T
|
| 49 |
CVE-2026-5101
A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This a
|
| 49 |
CVE-2026-5020
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1725d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2228d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4976d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 998d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3753d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 900d |