The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a very interesting resource. It is the Known Exploited Vulnerabilities Catalog. Today, there are 644 unique CVEs in the catalog which impact a variety of COTs products. Use the catalog to prioritize remediation and build (in their words) "collective resilience" to threats.
@AppDefectsBut however, are actually exploited by Government departments, or kept private for a host of security reasons? How much are they prepared to pay for these exploits?