Total CVEs
16318
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3205
public exploits
Unpatched
4332
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
Priority Distribution
| Priority | CVE |
|---|---|
| 36 |
CVE-2026-2936
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to S
|
| 36 |
CVE-2025-41767
A high-privileged remote attacker can fully compromise the device by abusing an
|
| 36 |
CVE-2026-0617
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for W
|
| 36 |
CVE-2025-68648
A use of externally-controlled format string vulnerability in Fortinet FortiAnal
|
| 36 |
CVE-2025-59784
2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Cert
|
| 36 |
CVE-2026-32401
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
|
| 36 |
CVE-2026-28784
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is p
|
| 36 |
CVE-2026-20892
Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allo
|
| 36 |
CVE-2026-23778
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Featu
|
| 36 |
CVE-2026-2566
A security vulnerability has been detected in Wavlink WL-NU516U1 up to 130/260.
|
| 36 |
CVE-2026-4302
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-
|
| 36 |
CVE-2026-24963
Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooki
|
| 36 |
CVE-2026-20163
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splun
|
| 36 |
CVE-2025-69378
Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter f
|
| 36 |
CVE-2026-3352
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection i
|
| 36 |
CVE-2025-15041
The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnera
|
| 36 |
CVE-2026-25932
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.
|
| 36 |
CVE-2026-39467
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider
|
| 36 |
CVE-2026-25615
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.
|
| 36 |
CVE-2026-29109
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C
|
| 36 |
CVE-2026-1273
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin
|
| 36 |
CVE-2026-0677
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite
|
| 36 |
CVE-2026-40880
# CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead
|
| 36 |
CVE-2025-27260
Ericsson
Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filt
|
| 36 |
CVE-2026-40871
mailcow: dockerized is an open source groupware/email suite based on docker. Ver
|
| 36 |
CVE-2026-1841
The PixelYourSite - Your smart PIXEL (TAG) & API Manager plugin for WordPress is
|
| 36 |
CVE-2026-33133
WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6,
|
| 36 |
CVE-2026-0686
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery
|
| 36 |
CVE-2026-25041
Budibase is a low code platform for creating internal tools, workflows, and admi
|
| 36 |
CVE-2026-27602
### Summary
`exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess ca
|
| 36 |
CVE-2026-33681
WWBN AVideo is an open source video platform. In versions up to and including 26
|
| 36 |
CVE-2026-23882
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MC
|
| 36 |
CVE-2026-1078
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pe
|
| 36 |
CVE-2025-59785
Improper validation of API end-point in 2N Access Commander version 3.4.2 and pr
|
| 36 |
CVE-2026-1343
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify
|
| 36 |
CVE-2026-28436
Frappe is a full-stack web application framework. Prior to versions 16.11.0 and
|
| 36 |
CVE-2026-27459
If a user provided callback to `set_cookie_generate_callback` returned a cookie
|
| 36 |
CVE-2026-27043
Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Phot
|
| 36 |
CVE-2026-1648
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Reques
|
| 36 |
CVE-2024-51347
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camer
|
| 36 |
CVE-2026-3017
The Smart Post Show - Post Grid, Post Carousel & Slider, and List Category Posts
|
| 36 |
CVE-2025-12886
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forger
|
| 36 |
CVE-2026-20205
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with acc
|
| 36 |
CVE-2026-34292
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware
|
| 36 |
CVE-2026-26930
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
|
| 36 |
CVE-2026-29782
## Description
The `oauth2.php` file in OpenSTAManager is an **unauthenticated*
|
| 36 |
CVE-2026-35653
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in t
|
| 36 |
CVE-2026-35660
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability
|
| 36 |
CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the doma
|
| 36 |
CVE-2026-31834
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege
|
| 36 |
CVE-2026-41170
Squidex is an open source headless content management system and content managem
|
| 36 |
CVE-2025-58383
A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an admi
|
| 36 |
CVE-2026-4113
An observable response discrepancy vulnerability in the SonicWall SMA1000 series
|
| 36 |
CVE-2025-40897
An access control vulnerability was discovered in the Threat Intelligence functi
|
| 36 |
CVE-2026-28674
xiaoheiFS is a self-hosted financial and operational system for cloud service bu
|
| 36 |
CVE-2025-36184
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.
|
| 36 |
CVE-2025-69299
Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allo
|
| 36 |
CVE-2025-59473
SQL Injection vulnerability in the Structure for Admin authenticated user
|
| 36 |
CVE-2026-34512
OpenClaw before 2026.3.25 contains an improper access control vulnerability in t
|
| 36 |
CVE-2026-35037
## Summary
The `GET /api/website/title` endpoint accepts an arbitrary URL via t
|
| 36 |
CVE-2026-25951
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior
|
| 36 |
CVE-2026-4116
Improper handling of Unicode encoding in SonicWall SMA1000 series appliances all
|
| 36 |
CVE-2026-26325
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch betw
|
| 36 |
CVE-2026-1844
The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Sc
|
| 36 |
CVE-2026-1320
The Secure Copy Content Protection and Content Locking plugin for WordPress is v
|
| 36 |
CVE-2025-61848
An improper neutralization of special elements used in an sql command ('sql inje
|
| 36 |
CVE-2026-0807
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request For
|
| 36 |
CVE-2026-2279
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sor
|
| 36 |
CVE-2026-39971
### Summary
Serendipity inserts `$_SERVER['HTTP_HOST']` directly into the `Messa
|
| 36 |
CVE-2026-32414
Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID
|
| 36 |
CVE-2026-29047
GLPI is a free asset and IT management software package. From 10.0.0 to before 1
|
| 36 |
CVE-2026-22623
Due to insufficient input parameter validation on the interface, authenticated u
|
| 36 |
CVE-2026-39343
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL inje
|
| 36 |
CVE-2026-33504
## Description
Following Admin APIs in Ory Hydra are vulnerable to SQL injectio
|
| 36 |
CVE-2026-39325
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL inj
|
| 36 |
CVE-2026-33906
## Summary
The NetworkManager role was granted backup and restore permission. T
|
| 36 |
CVE-2026-35476
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.
|
| 36 |
CVE-2026-34155
RAUC controls the update process on embedded Linux systems. Prior to version 1.1
|
| 36 |
CVE-2026-33910
OpenEMR is a free and open source electronic health records and medical practice
|
| 36 |
CVE-2026-40114
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endp
|
| 36 |
CVE-2026-27885
Piwigo is an open source photo gallery application for the web. Prior to version
|
| 36 |
CVE-2026-33914
OpenEMR is a free and open source electronic health records and medical practice
|
| 36 |
CVE-2026-27834
Piwigo is an open source photo gallery application for the web. Prior to version
|
| 36 |
CVE-2026-0234
An improper verification of cryptographic signature vulnerability exists in Cort
|
| 36 |
CVE-2026-22480
Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for Wo
|
| 36 |
CVE-2026-40315
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL ident
|
| 36 |
CVE-2025-55988
An issue in the component /Controllers/RestController.php of DreamFactory Core v
|
| 36 |
CVE-2026-1065
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site
|
| 36 |
CVE-2026-30229
Parse Server is an open source backend that can be deployed to any infrastructur
|
| 36 |
CVE-2026-20416
In pcie, there is a possible out of bounds write due to a missing bounds check.
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 741d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2309d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2122d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1736d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2239d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4987d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1207d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1009d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3764d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 911d |