Total CVEs
16125
last 90 days
Avg Priority
36.3
of max 220
KEV
39
actively exploited
POC
3213
public exploits
Unpatched
4240
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
Priority Distribution
| Priority | CVE |
|---|---|
| 38 |
CVE-2026-39111
SQL Injection vulnerability in Apartment Visitors Management System Apartment Vi
|
| 38 |
CVE-2026-3621
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphe
|
| 38 |
CVE-2026-35209
### Impact
Applications that pass unsanitized user input (e.g. parsed JSON requ
|
| 38 |
CVE-2026-34063
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior
|
| 38 |
CVE-2026-6857
A flaw was found in camel-infinispan. This vulnerability involves unsafe deseria
|
| 38 |
CVE-2026-41231
Froxlor is open source server administration software. Prior to version 2.3.6, `
|
| 38 |
CVE-2026-32066
OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in th
|
| 37 |
CVE-2026-0522
A local file inclusion vulnerability in the upload/download flow of the VertiGIS
|
| 37 |
CVE-2026-39866
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f5
|
| 37 |
CVE-2026-3690
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows r
|
| 37 |
CVE-2026-4008
A flaw has been found in Tenda W3 1.0.0.3(2204). This issue affects some unknown
|
| 37 |
CVE-2026-3976
A weakness has been identified in Tenda W3 1.0.0.3(2204). Impacted is the functi
|
| 37 |
CVE-2026-3973
A vulnerability was determined in Tenda W3 1.0.0.3(2204). This affects the funct
|
| 37 |
CVE-2026-3971
A vulnerability has been found in Tenda i3 1.0.0.6(2204). Affected by this vulne
|
| 37 |
CVE-2026-27981
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authen
|
| 37 |
CVE-2025-69419
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
craft
|
| 37 |
CVE-2026-22264
Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14
|
| 37 |
CVE-2026-28791
Tina is a headless content management system. Prior to 2.1.7, a path traversal v
|
| 37 |
CVE-2026-25968
ImageMagick is free and open-source software used for editing and manipulating d
|
| 37 |
CVE-2026-32631
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 d
|
| 37 |
CVE-2026-25967
ImageMagick is free and open-source software used for editing and manipulating d
|
| 37 |
CVE-2025-12345
A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a
|
| 37 |
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. F
|
| 37 |
CVE-2026-3278
Improper neutralization of input during web page generation ('cross-site scripti
|
| 37 |
CVE-2026-4043
A security vulnerability has been detected in Tenda i12 1.0.0.6(2204). The impac
|
| 37 |
CVE-2026-4042
A weakness has been identified in Tenda i12 1.0.0.6(2204). The affected element
|
| 37 |
CVE-2026-4041
A security flaw has been discovered in Tenda i12 1.0.0.6(2204). Impacted is the
|
| 37 |
CVE-2026-4007
A vulnerability was detected in Tenda W3 1.0.0.3(2204). This vulnerability affec
|
| 37 |
CVE-2026-3975
A security flaw has been discovered in Tenda W3 1.0.0.3(2204). This issue affect
|
| 37 |
CVE-2026-3974
A vulnerability was identified in Tenda W3 1.0.0.3(2204). This vulnerability aff
|
| 37 |
CVE-2026-3970
A flaw has been found in Tenda i3 1.0.0.6(2204). Affected is the function formwr
|
| 37 |
CVE-2026-5992
A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function
|
| 37 |
CVE-2026-4975
A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the funct
|
| 37 |
CVE-2026-4974
A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the fu
|
| 37 |
CVE-2026-6137
A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected elem
|
| 37 |
CVE-2026-5991
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the f
|
| 37 |
CVE-2026-5988
A vulnerability was detected in Tenda F451 1.0.0.7. This impacts the function fo
|
| 37 |
CVE-2026-5990
A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this vulnerabi
|
| 37 |
CVE-2026-5980
A flaw has been found in D-Link DIR-605L 2.13B01. Affected by this issue is the
|
| 37 |
CVE-2026-5983
A vulnerability was determined in D-Link DIR-605L 2.13B01. This issue affects th
|
| 37 |
CVE-2026-33804
@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass w
|
| 37 |
CVE-2026-5629
A vulnerability was detected in Belkin F9K1015 1.00.10. The affected element is
|
| 37 |
CVE-2026-32156
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an u
|
| 37 |
CVE-2026-33131
# H3 NodeRequestUrl bugs
Vulnerable pieces of code :
```js
import { H3, serve
|
| 37 |
CVE-2026-33667
OpenProject is an open-source project management application. In versions prior
|
| 37 |
CVE-2026-24052
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code con
|
| 37 |
CVE-2026-34076
## Summary
The `clerkFrontendApiProxy` function in `@clerk/backend` is vulnerab
|
| 37 |
CVE-2026-34727
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0,
|
| 37 |
CVE-2026-33735
MyTube is a self-hosted downloader and player for several video websites Prior t
|
| 37 |
CVE-2026-31989
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulner
|
| 37 |
CVE-2026-4282
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value st
|
| 37 |
CVE-2026-25167
Use after free in Microsoft Brokering File System allows an unauthorized attacke
|
| 37 |
CVE-2025-66413
Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible t
|
| 37 |
CVE-2026-40153
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_com
|
| 37 |
CVE-2026-33745
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
|
| 37 |
CVE-2026-33247
### Background
NATS.io is a high performance open source pub-sub distributed co
|
| 37 |
CVE-2026-2332
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when ch
|
| 37 |
CVE-2026-27856
Doveadm credentials are verified using direct comparison which is susceptible to
|
| 37 |
CVE-2026-40585
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a p
|
| 37 |
CVE-2026-2459
A vulnerability exists in REB500 for an authenticated user with Installer role t
|
| 37 |
CVE-2026-33488
## Summary
The `createKeys()` function in the LoginControl plugin's PGP 2FA sys
|
| 37 |
CVE-2026-32132
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.
|
| 37 |
CVE-2026-2378
ArcSearch for Android versions prior to 1.12.7 could display a different domain
|
| 37 |
CVE-2026-26214
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior d
|
| 37 |
CVE-2026-29953
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the
|
| 37 |
CVE-2026-33643
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the
|
| 37 |
CVE-2026-23364
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Comp
|
| 37 |
CVE-2026-20004
A vulnerability in the TLS library of Cisco IOS XE Software could allow an unaut
|
| 37 |
CVE-2026-20051
A vulnerability with the Ethernet VPN (EVPN) Layer 2 ingress packet processing o
|
| 37 |
CVE-2025-70058
An issue pertaining to CWE-295: Improper Certificate Validation was discovered i
|
| 37 |
CVE-2025-70045
An issue pertaining to CWE-295: Improper Certificate Validation was discovered i
|
| 37 |
CVE-2026-1707
pgAdmin versions 9.11 are affected by a Restore restriction bypass via key discl
|
| 37 |
CVE-2026-24281
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse D
|
| 37 |
CVE-2026-5984
A vulnerability was identified in D-Link DIR-605L 2.13B01. Impacted is the funct
|
| 37 |
CVE-2026-20074
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-
|
| 37 |
CVE-2026-20033
A vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI mode could all
|
| 37 |
CVE-2026-2450
.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions
|
| 37 |
CVE-2026-4371
A malicious mail server could send malformed strings with negative lengths, caus
|
| 37 |
CVE-2025-33088
IBM Concert 1.0.0 through 2.1.0 could allow a local user with specific knowledge
|
| 37 |
CVE-2026-33896
## Summary
`pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstr
|
| 37 |
CVE-2026-5795
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication chec
|
| 37 |
CVE-2026-4428
A logic error in CRL distribution point validation in AWS-LC before 1.71.0 cause
|
| 37 |
CVE-2026-20010
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-
|
| 37 |
CVE-2026-27579
CollabPlatform is a full-stack, real-time doc collaboration platform. In all ver
|
| 37 |
CVE-2026-34359
## Summary
`ManagedWebAccessUtils.getServer()` uses `String.startsWith()` to ma
|
| 37 |
CVE-2026-2713
IBM Trusteer Rapport installer 3.5.2309.290 IBM Trusteer Rapport could allow a l
|
| 37 |
CVE-2026-41035
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value
|
| 37 |
CVE-2026-25205
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows
|
| 37 |
CVE-2026-25207
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflo
|
| 37 |
CVE-2026-32775
libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3763d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |