Security Dashboard

7d 14d 30d 90d
Total CVEs
16308
last 90 days
Avg Priority
36.5
of max 220
KEV
40
actively exploited
POC
3198
public exploits
Unpatched
4325
CRIT/HIGH without patch
How is Priority Score calculated?

Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:

KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low 40-80 Medium 80-120 High 120+ Critical

Patch Now — Known Exploited Vulnerabilities

185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
CRITICAL
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
CRITICAL
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
CRITICAL
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
CRITICAL
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
HIGH
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
CRITICAL
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
HIGH
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
CRITICAL
129
CVE-2026-33825
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to el
HIGH
124
CVE-2026-21643
An improper neutralization of special elements used in an sql command ('sql injection') vulnerabilit
CRITICAL

Priority Distribution

CRITICAL HIGH MEDIUM LOW KEV Only POC Only Unpatched CRIT/HIGH
Priority CVE
36 CVE-2026-3548
Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsi
36 CVE-2026-33505
## Description The **GetRelationships API** in Ory Keto is vulnerable to SQL in
36 CVE-2026-6361
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.1
36 CVE-2026-37342
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL
36 CVE-2026-37344
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL
36 CVE-2026-37343
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL
36 CVE-2026-1777
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBui
36 CVE-2026-37341
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL
36 CVE-2025-14610
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side
36 CVE-2023-31313
An unintended proxy or intermediary in the AMD power management firmware (PMFW)
36 CVE-2026-5845
An improper authorization vulnerability in scoped user-to-server (ghu_) token au
36 CVE-2026-32264
The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://gi
36 CVE-2026-32263
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748
36 CVE-2026-3873
Use of Hard-coded Credentials vulnerability in Avnatra Avantra allows Accessing
36 CVE-2026-20062
A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance
36 CVE-2026-33392
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE
36 CVE-2026-24506
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release ver
36 CVE-2026-41641
## Summary The `checkSQL()` validation function that blocks dangerous SQL keywo
36 CVE-2026-24504
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release ver
36 CVE-2026-24505
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper inpu
36 CVE-2026-26943
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release ver
36 CVE-2026-40623
A vulnerability in SenseLive X3050's web management interface allows critical sy
36 CVE-2026-34790
Endian Firewall version 3.3.25 and prior allow authenticated users to delete arb
36 CVE-2026-4620
OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a
36 CVE-2026-4622
OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a
36 CVE-2026-20998
Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote
36 CVE-2026-20999
Authentication bypass by replay in Smart Switch prior to version 3.7.69.15 allow
36 CVE-2026-33704
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated
36 CVE-2026-20996
Use of a broken or risky cryptographic algorithm in Smart Switch prior to versio
36 CVE-2025-36247
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through
36 CVE-2026-31971
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
36 CVE-2026-32063
OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vul
36 CVE-2026-27953
### Summary A Pydantic validation bypass in `ormar`'s model constructor allows
36 CVE-2026-20204
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splu
36 CVE-2026-31994
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerabi
36 CVE-2026-33668
Vikunja is an open-source self-hosted task management platform. Starting in vers
36 CVE-2026-33028
### Summary The `nginx-ui` application is vulnerable to a **Race Condition**. Du
36 CVE-2026-34591
### Summary A crafted wheel can contain ../ paths that Poetry writes to disk wit
36 CVE-2026-29607
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerabili
36 CVE-2026-33627
Parse Server is an open source backend that can be deployed to any infrastructur
36 CVE-2025-11142
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allo
36 CVE-2026-39972
### Impact A cache key collision vulnerability in `TopicSelectorStore` allows a
36 CVE-2026-40162
Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file wr
36 CVE-2026-22322
A stored cross‑site scripting (XSS) vulnerability in the Link Aggregation config
36 CVE-2026-26151
Insufficient ui warning of dangerous operations in Windows Remote Desktop allows
36 CVE-2026-33872
### Impact This vulnerability results in Cross-User Data Leakage or Information
36 CVE-2026-31969
HTSlib is a library for reading and writing bioinformatics file formats. CRAM is
36 CVE-2025-13096
IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0
36 CVE-2026-6409
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library durin
36 CVE-2026-3401
A weakness has been identified in SourceCodester Web-based Pharmacy Product Mana
36 CVE-2026-40043
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUse
36 CVE-2026-39976
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to befor
36 CVE-2026-34598
### Summary A stored and blind XSS vulnerability exists in the form title field.
36 CVE-2026-34603
## Summary `@tinacms/cli` recently added lexical path-traversal checks to the d
36 CVE-2026-34604
## Summary `@tinacms/graphql` uses string-based path containment checks in `Fil
36 CVE-2026-26133
AI command injection in M365 Copilot allows an unauthorized attacker to disclose
36 CVE-2026-39308
### Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe
36 CVE-2025-15616
Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple
36 CVE-2026-32590
A flaw was found in Red Hat Quay's handling of resumable container image layer u
36 CVE-2026-27566
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability i
36 CVE-2026-33645
Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an a
36 CVE-2026-35167
### Impact The `_get_versioned_path()` method in kedro/io/core.py constructs fil
36 CVE-2026-35668
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enf
36 CVE-2026-22175
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerabili
36 CVE-2026-29077
Frappe is a full-stack web application framework. Prior to versions 15.98.0 and
36 CVE-2026-27170
OpenSift is an AI study tool that sifts through large datasets using semantic se
36 CVE-2026-31992
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability i
36 CVE-2026-40503
OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that
36 CVE-2026-33493
## Summary The `objects/import.json.php` endpoint accepts a user-controlled `fi
36 CVE-2026-40090
### Impact This vulnerability impacts users of `zarf package inspect sbom` or `z
36 CVE-2026-5720
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsi
36 CVE-2026-35000
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerab
36 CVE-2026-34124
A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 wit
36 CVE-2026-41299
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the
36 CVE-2026-33822
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to d
36 CVE-2026-33770
### Summary The `fixCleanTitle()` static method in `objects/category.php` const
36 CVE-2026-33783
A Function Call With Incorrect Argument Type vulnerability in the sensor interfa
36 CVE-2026-39977
flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.
36 CVE-2026-27757
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentica
36 CVE-2026-32617
AnythingLLM is an application that turns pieces of content into context that any
36 CVE-2026-33767
### Summary In `objects/like.php`, the `getLike()` method constructs a SQL quer
36 CVE-2026-28713
Default credentials set for local privileged user in Virtual Appliance. The foll
36 CVE-2026-28459
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path param
36 CVE-2026-31970
HTSlib is a library for reading and writing bioinformatics file formats. GZI fil
36 CVE-2026-27541
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite wo
36 CVE-2026-32027
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerabili
36 CVE-2026-23940
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Exce
36 CVE-2026-32937
### Impact This is an out-of-bounds slice access vulnerability in the CHF `nchf-
36 CVE-2026-1058
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting
36 CVE-2026-35559
Out-of-bounds write in the query processing components in Amazon Athena ODBC dri

Oldest Unpatched Critical/High CVEs

CVE Severity CVSS Priority Days Open
CVE-2024-3400 CRITICAL 10.0 224 741d
CVE-2019-19781 CRITICAL 9.8 223 2309d
CVE-2020-5902 CRITICAL 9.8 223 2122d
CVE-2021-35464 CRITICAL 9.8 223 1736d
CVE-2020-10189 CRITICAL 9.8 223 2239d
CVE-2012-4681 CRITICAL 9.8 223 4987d
CVE-2022-42475 CRITICAL 9.8 223 1207d
CVE-2023-3519 CRITICAL 9.8 223 1009d
CVE-2015-7450 CRITICAL 9.8 222 3764d
CVE-2023-34048 CRITICAL 9.8 222 911d
Prev 96 / 182 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy