Total CVEs
16310
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3211
public exploits
Unpatched
4325
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 36 |
CVE-2026-34607
Emlog is an open source website building system. In versions 2.6.2 and prior, a
|
| 36 |
CVE-2026-2269
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builde
|
| 36 |
CVE-2026-22766
Dell Wyse Management Suite, versions prior to WMS 5.5, contain an Unrestricted U
|
| 36 |
CVE-2026-23815
A vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an a
|
| 36 |
CVE-2026-29102
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 36 |
CVE-2025-11730
A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS)
|
| 36 |
CVE-2026-21893
n8n is an open source workflow automation platform. From version 0.187.0 to befo
|
| 36 |
CVE-2025-12975
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerab
|
| 36 |
CVE-2026-4808
The Gerador de Certificados - DevApps plugin for WordPress is vulnerable to arbi
|
| 36 |
CVE-2026-28673
xiaoheiFS is a self-hosted financial and operational system for cloud service bu
|
| 36 |
CVE-2026-39387
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites
|
| 36 |
CVE-2026-30940
baserCMS is a website development framework. Prior to version 5.2.3, a path trav
|
| 36 |
CVE-2026-4627
A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected i
|
| 36 |
CVE-2026-2365
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 36 |
CVE-2026-5464
The ExactMetrics - Google Analytics Dashboard for WordPress (Website Stats Plugi
|
| 36 |
CVE-2026-26046
A vulnerability was found in a Moodle TeX filter administrative setting where in
|
| 36 |
CVE-2026-2670
A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected i
|
| 36 |
CVE-2026-31386
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an
|
| 36 |
CVE-2026-28209
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and
|
| 36 |
CVE-2025-59783
API endpoint for user synchronization in 2N Access Commander version 3.4.1 did n
|
| 36 |
CVE-2026-23759
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 a
|
| 36 |
CVE-2026-0800
The User Submitted Posts - Enable Users to Submit Posts from the Front End plugi
|
| 36 |
CVE-2025-69986
A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC
|
| 36 |
CVE-2026-24748
Kargo manages and automates the promotion of software artifacts. Prior to versio
|
| 36 |
CVE-2026-0753
The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cr
|
| 36 |
CVE-2026-23816
A vulnerability in the command line interface of AOS-CX Switches could allow an
|
| 36 |
CVE-2026-1866
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2026-1931
The Rent Fetch plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-23774
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 36 |
CVE-2026-4329
The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Si
|
| 36 |
CVE-2026-3342
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an auth
|
| 36 |
CVE-2026-33613
Due to the improper neutralisation of special elements used in an OS command, a
|
| 36 |
CVE-2026-1216
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Sc
|
| 36 |
CVE-2026-3368
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scri
|
| 36 |
CVE-2026-23592
Insecure file operations in HPE Aruba Networking Fabric Composer’s backup func
|
| 36 |
CVE-2026-25836
An improper neutralization of special elements used in an os command ('os comman
|
| 36 |
CVE-2026-1400
The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress
|
| 36 |
CVE-2025-66178
A improper neutralization of special elements used in an os command ('os command
|
| 36 |
CVE-2025-14452
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Si
|
| 36 |
CVE-2026-22229
A command injection vulnerability may be exploited after the admin's authenticat
|
| 36 |
CVE-2026-1316
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2026-1843
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scr
|
| 36 |
CVE-2026-2568
The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Form
|
| 36 |
CVE-2026-26045
A flaw was identified in Moodle’s backup restore functionality where specially c
|
| 36 |
CVE-2026-31849
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implem
|
| 36 |
CVE-2026-6832
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/sessi
|
| 36 |
CVE-2026-28456
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gat
|
| 36 |
CVE-2025-58382
A vulnerability in the secure configuration of authentication and
management se
|
| 36 |
CVE-2026-1945
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
|
| 36 |
CVE-2026-3643
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-5217
The Optimole - Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image O
|
| 36 |
CVE-2026-2231
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Script
|
| 36 |
CVE-2026-2724
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Store
|
| 36 |
CVE-2025-15440
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-2296
The Product Addons for Woocommerce - Product Options with Custom Fields plugin f
|
| 36 |
CVE-2026-1459
A post-authentication command injection vulnerability in the TR-369 certificate
|
| 36 |
CVE-2026-35035
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 36 |
CVE-2026-25917
Dag Authors, who normally should not be able to execute code in the webserver co
|
| 36 |
CVE-2026-3231
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPres
|
| 36 |
CVE-2026-3178
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scrip
|
| 36 |
CVE-2026-1261
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
|
| 36 |
CVE-2026-4388
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site
|
| 36 |
CVE-2026-22572
An authentication bypass using an alternate path or channel vulnerability in For
|
| 36 |
CVE-2026-3478
The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Sid
|
| 36 |
CVE-2026-37748
Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File U
|
| 36 |
CVE-2026-1454
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPres
|
| 36 |
CVE-2026-4267
### Impact
The Query Monitor plugin for WordPress is vulnerable to Reflected Cr
|
| 36 |
CVE-2026-1238
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site S
|
| 36 |
CVE-2026-23572
Improper access control in the TeamViewer Full and Host clients (Windows, macOS,
|
| 36 |
CVE-2026-5425
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored C
|
| 36 |
CVE-2026-2834
The Age Verification & Identity Verification by Token of Trust plugin for WordPr
|
| 36 |
CVE-2025-14554
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnera
|
| 36 |
CVE-2026-35175
### Impact
An authenticated user (using the `auth_users` plugin authentication
|
| 36 |
CVE-2026-1074
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting
|
| 36 |
CVE-2026-3003
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-5694
The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Sit
|
| 36 |
CVE-2026-3090
The Post SMTP - Complete Email Deliverability and SMTP Solution with Email Logs,
|
| 36 |
CVE-2026-2019
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code I
|
| 36 |
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Execut
|
| 36 |
CVE-2026-28138
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting al
|
| 36 |
CVE-2026-25316
Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows ca
|
| 36 |
CVE-2026-22333
Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Com
|
| 36 |
CVE-2026-29182
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 36 |
CVE-2026-33715
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, t
|
| 36 |
CVE-2026-2440
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting i
|
| 36 |
CVE-2026-1937
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to
|
| 36 |
CVE-2026-22317
A command injection vulnerability in the device’s Root CA certificate transfer w
|
| 36 |
CVE-2026-0617
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 36 |
CVE-2026-2936
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to S
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4986d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3764d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |