Total CVEs
16359
last 90 days
Avg Priority
36.3
of max 220
KEV
40
actively exploited
POC
3231
public exploits
Unpatched
4337
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
128
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code executi
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-3396
WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL I
|
| 38 |
CVE-2026-3657
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `s
|
| 38 |
CVE-2026-30637
Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounContent of
|
| 38 |
CVE-2026-5426
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver de
|
| 38 |
CVE-2026-28461
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerabi
|
| 38 |
CVE-2026-33756
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.5
|
| 38 |
CVE-2026-35464
## Summary
The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONL
|
| 38 |
CVE-2026-1584
A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this
|
| 38 |
CVE-2026-3509
An unauthenticated remote attacker may be able to control the format string of m
|
| 38 |
CVE-2026-6319
Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 a
|
| 38 |
CVE-2026-26029
sf-mcp-server is an implementation of Salesforce MCP server for Claude for Deskt
|
| 38 |
CVE-2026-6308
Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a r
|
| 38 |
CVE-2026-4662
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listi
|
| 38 |
CVE-2026-22182
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerabili
|
| 38 |
CVE-2026-26321
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Fe
|
| 38 |
CVE-2026-40613
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.
|
| 38 |
CVE-2026-0692
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable
|
| 38 |
CVE-2026-0846
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk
|
| 38 |
CVE-2025-62166
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the aut
|
| 38 |
CVE-2026-1285
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4
|
| 38 |
CVE-2026-2413
The Ally - Web Accessibility & Usability plugin for WordPress is vulnerable to S
|
| 38 |
CVE-2026-1280
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized fil
|
| 38 |
CVE-2025-59895
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contai
|
| 38 |
CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packa
|
| 38 |
CVE-2026-1800
The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-base
|
| 38 |
CVE-2026-27572
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,
|
| 38 |
CVE-2026-2268
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Expo
|
| 38 |
CVE-2026-2511
The JS Help Desk - AI-Powered Support & Ticketing System plugin for WordPress is
|
| 38 |
CVE-2026-3658
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin p
|
| 38 |
CVE-2026-33096
Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny s
|
| 38 |
CVE-2026-30405
An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of s
|
| 38 |
CVE-2026-29785
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 38 |
CVE-2026-4987
The SureForms - Contact Form, Payment Form & Other Custom Form Builder plugin fo
|
| 38 |
CVE-2025-5804
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 38 |
CVE-2026-1773
IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-fo
|
| 38 |
CVE-2026-26316
OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubble
|
| 38 |
CVE-2026-25679
url.Parse insufficiently validated the host/authority component and accepted som
|
| 38 |
CVE-2025-7714
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti
|
| 38 |
CVE-2026-1507
The affected products are vulnerable to an uncaught exception that could allow a
|
| 38 |
CVE-2026-4156
ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execu
|
| 38 |
CVE-2026-27889
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 38 |
CVE-2025-14353
The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL
|
| 38 |
CVE-2026-2579
The WowStore - Store Builder & Product Blocks for WooCommerce plugin for WordPre
|
| 38 |
CVE-2025-66687
Doom Launcher 3.8.1.0 is vulnerable to Directory Traversal due to missing file p
|
| 38 |
CVE-2026-2580
The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory &
|
| 38 |
CVE-2026-4306
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'r
|
| 38 |
CVE-2026-40938
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style
|
| 38 |
CVE-2025-70363
Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ci
|
| 38 |
CVE-2026-24445
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-25945
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-25114
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-25113
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-20792
The WebSocket Application Programming Interface lacks restrictions on
the numbe
|
| 38 |
CVE-2026-25577
Emmett is a framework designed to simplify your development process. Prior to 1.
|
| 38 |
CVE-2026-23664
Improper restriction of communication channel to intended endpoints in Azure IoT
|
| 38 |
CVE-2026-20882
The WebSocket Application Programming Interface lacks restrictions on the number
|
| 38 |
CVE-2026-2468
The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_
|
| 38 |
CVE-2026-27778
The WebSocket Application Programming Interface lacks restrictions on the number
|
| 38 |
CVE-2026-32596
### Summary
Glances web server runs without authentication by default when start
|
| 38 |
CVE-2026-22259
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.1
|
| 38 |
CVE-2026-23536
A security issue was discovered in the Feast Feature Server's `/read-document` e
|
| 38 |
CVE-2026-4634
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulne
|
| 38 |
CVE-2025-14031
IBM Sterling B2B Integrator and and IBM Sterling File Gateway 6.1.0.0 through 6.
|
| 38 |
CVE-2026-2229
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack du
|
| 38 |
CVE-2025-69421
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
de
|
| 38 |
CVE-2026-4427
A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can e
|
| 38 |
CVE-2026-3489
The DirectoryPress - Business Directory And Classified Ad Listing plugin for Wor
|
| 38 |
CVE-2026-24696
The WebSocket Application Programming Interface lacks restrictions on the number
|
| 38 |
CVE-2026-26055
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0
|
| 38 |
CVE-2026-3496
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'chec
|
| 38 |
CVE-2025-70758
chetans9 core-php-admin-panel through commit a94a780d6 contains an authenticatio
|
| 38 |
CVE-2026-27141
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running s
|
| 38 |
CVE-2026-2236
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthen
|
| 38 |
CVE-2026-34731
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AV
|
| 38 |
CVE-2026-4352
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom
|
| 38 |
CVE-2026-33509
## Summary
The `set_config_value()` API endpoint allows users with the non-admi
|
| 38 |
CVE-2026-32319
## Summary
Ella Core panics when processing a malformed integrity protected NGA
|
| 38 |
CVE-2026-20434
In Modem, there is a possible out of bounds write due to a missing bounds check.
|
| 38 |
CVE-2026-30952
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScri
|
| 38 |
CVE-2026-31870
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 38 |
CVE-2025-15285
The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized mo
|
| 38 |
CVE-2026-20650
A denial-of-service issue was addressed with improved validation. This issue is
|
| 38 |
CVE-2026-27449
Umbraco Engage is a business intelligence platform. A vulnerability has been ide
|
| 38 |
CVE-2026-26314
go-ethereum (geth) is a golang execution layer implementation of the Ethereum pr
|
| 38 |
CVE-2026-26336
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from pr
|
| 38 |
CVE-2026-34381
Admidio is an open-source user management solution. From version 5.0.0 to before
|
| 38 |
CVE-2026-23897
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible
|
| 38 |
CVE-2026-28462
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser cont
|
| 38 |
CVE-2026-23708
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through
|
| 38 |
CVE-2026-27704
The Dart and Flutter SDKs provide software development kits for the Dart program
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 740d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2308d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2121d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1735d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2238d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1206d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1008d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 910d |