Total CVEs
16337
last 90 days
Avg Priority
36.5
of max 220
KEV
37
actively exploited
POC
3564
public exploits
Unpatched
5456
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
194
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for t
185
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain
184
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability
180
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerabil
170
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
164
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated rem
160
CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that
141
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FM
137
CVE-2026-1603
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen
134
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credentia
Priority Distribution
| Priority | CVE |
|---|---|
| 194 |
CVE-2026-24061
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "
|
| 185 |
CVE-2026-1731
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote
|
| 184 |
CVE-2026-23760
SmarterTools SmarterMail versions prior to build 9511 contain an authentication
|
| 180 |
CVE-2025-40551
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deseri
|
| 170 |
CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve
|
| 164 |
CVE-2026-1281
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve
|
| 141 |
CVE-2026-20131
A vulnerability in the web-based management interface of Cisco Secure Firewall M
|
| 134 |
CVE-2026-22769
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a
|
| 131 |
CVE-2026-27180
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote co
|
| 129 |
CVE-2026-27174
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code executi
|
| 129 |
CVE-2022-25369
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new a
|
| 128 |
CVE-2026-24423
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated
|
| 126 |
CVE-2026-20963
Deserialization of untrusted data in Microsoft Office SharePoint allows an autho
|
| 124 |
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through
|
| 123 |
CVE-2025-71243
The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5
|
| 117 |
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised
|
| 117 |
CVE-2026-33017
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows b
|
| 117 |
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when config
|
| 113 |
CVE-2026-20127
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controlle
|
| 112 |
CVE-2026-24858
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-2
|
| 111 |
CVE-2026-27175
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS comman
|
| 90 |
CVE-2026-20079
A vulnerability in the web interface of Cisco Secure Firewall Management Center
|
| 90 |
CVE-2026-2329
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP
|
| 87 |
CVE-2016-15057
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used
|
| 82 |
CVE-2026-27971
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable
|
| 81 |
CVE-2020-37123
Pinger 1.0 contains a remote code execution vulnerability that allows attackers
|
| 74 |
CVE-2026-23515
Signal K Server is a server application that runs on a central hub in a boat. Pr
|
| 73 |
CVE-2026-3301
A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affe
|
| 72 |
CVE-2019-25441
thesystem 1.0 contains a command injection vulnerability that allows unauthentic
|
| 71 |
CVE-2025-70327
TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerabi
|
| 71 |
CVE-2026-24105
An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.1
|
| 71 |
CVE-2025-29329
Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom
|
| 71 |
CVE-2025-14009
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, a
|
| 71 |
CVE-2026-27597
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution
|
| 70 |
CVE-2020-37125
Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability th
|
| 70 |
CVE-2026-28409
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a cr
|
| 70 |
CVE-2026-24898
OpenEMR is a free and open source electronic health records and medical practice
|
| 70 |
CVE-2026-26478
A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012
|
| 70 |
CVE-2026-22686
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution
|
| 70 |
CVE-2026-23830
SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sa
|
| 70 |
CVE-2026-24897
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.
|
| 70 |
CVE-2026-25142
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not
|
| 70 |
CVE-2025-10878
A SQL injection vulnerability exists in the login functionality of Fikir Odalari
|
| 70 |
CVE-2026-24101
An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_mul
|
| 70 |
CVE-2026-24107
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the
|
| 70 |
CVE-2026-26068
emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments.
|
| 70 |
CVE-2025-70841
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated
|
| 70 |
CVE-2026-24054
Kata Containers is an open source project focusing on a standard implementation
|
| 70 |
CVE-2022-50919
Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in
|
| 70 |
CVE-2022-50893
VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution v
|
| 70 |
CVE-2026-25520
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values
|
| 70 |
CVE-2026-28289
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 70 |
CVE-2026-27944
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.
|
| 70 |
CVE-2026-1699
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/wor
|
| 70 |
CVE-2026-29128
IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration
|
| 70 |
CVE-2026-25586
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape
|
| 70 |
CVE-2026-25587
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE
|
| 70 |
CVE-2026-25641
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbo
|
| 70 |
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its Client
|
| 70 |
CVE-2026-1470
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflo
|
| 70 |
CVE-2026-24770
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versio
|
| 70 |
CVE-2025-56005
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 all
|
| 70 |
CVE-2020-37090
School ERP Pro 1.0 contains a file upload vulnerability that allows students to
|
| 70 |
CVE-2026-25510
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, mo
|
| 70 |
CVE-2025-65791
ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. T
|
| 70 |
CVE-2026-27728
OneUptime is a solution for monitoring and managing online services. Prior to ve
|
| 70 |
CVE-2025-67186
TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability
|
| 70 |
CVE-2020-36911
Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows
|
| 70 |
CVE-2026-30957
OneUptime is a solution for monitoring and managing online services. Prior to 10
|
| 70 |
CVE-2026-28794
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere t
|
| 70 |
CVE-2026-24848
OpenEMR is a free and open source electronic health records and medical practice
|
| 70 |
CVE-2026-30861
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 70 |
CVE-2026-28411
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an u
|
| 70 |
CVE-2023-54339
Webgrind 1.1 contains a remote command execution vulnerability that allows unaut
|
| 70 |
CVE-2020-37027
Sickbeard alpha contains a remote command injection vulnerability that allows un
|
| 70 |
CVE-2026-29042
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Pri
|
| 70 |
CVE-2021-47851
Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows atta
|
| 70 |
CVE-2026-30860
WeKnora is an LLM-powered framework designed for deep document understanding and
|
| 70 |
CVE-2025-69985
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to
|
| 70 |
CVE-2020-37002
Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote
|
| 70 |
CVE-2026-27626
OliveTin gives access to predefined shell commands from a web interface. In vers
|
| 70 |
CVE-2026-27606
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and
|
| 70 |
CVE-2026-28775
An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP
|
| 70 |
CVE-2026-24841
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior
|
| 70 |
CVE-2025-67188
A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B2021011
|
| 70 |
CVE-2026-27702
Budibase is a low code platform for creating internal tools, workflows, and admi
|
| 70 |
CVE-2026-28517
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injectio
|
| 70 |
CVE-2026-33309
### Summary
While reviewing the recent patch for **CVE-2025-68478** (External C
|
| 70 |
CVE-2025-67084
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated att
|
| 70 |
CVE-2025-55423
A command injection vulnerability exists in the upnp_relay() function in multipl
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 730d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2298d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2111d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1724d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2227d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4975d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1196d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 997d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3752d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 899d |
1 / 19
Next