U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-11277 - Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
    Published: June 04, 2026; 8:17:04 PM -0400

  • CVE-2026-46273 - In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to se... read CVE-2026-46273
    Published: June 03, 2026; 2:16:29 PM -0400

  • CVE-2026-46264 - In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix sysfs initialization In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This ma... read CVE-2026-46264
    Published: June 03, 2026; 2:16:27 PM -0400

  • CVE-2026-11693 - Inappropriate implementation in Plugins in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
    Published: June 08, 2026; 8:16:52 PM -0400

  • CVE-2026-11701 - Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
    Published: June 08, 2026; 8:16:53 PM -0400

  • CVE-2026-9698 - DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influen... read CVE-2026-9698
    Published: June 09, 2026; 4:16:29 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-11632 - Use after free in TabStrip in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
    Published: June 08, 2026; 8:16:45 PM -0400

  • CVE-2026-11633 - Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical)
    Published: June 08, 2026; 8:16:45 PM -0400

  • CVE-2026-11634 - Use after free in Gamepad in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
    Published: June 08, 2026; 8:16:45 PM -0400

  • CVE-2026-11635 - Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
    Published: June 08, 2026; 8:16:46 PM -0400

  • CVE-2026-11636 - Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security seve... read CVE-2026-11636
    Published: June 08, 2026; 8:16:46 PM -0400

  • CVE-2026-11637 - Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
    Published: June 08, 2026; 8:16:46 PM -0400

  • CVE-2026-46490 - samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inje... read CVE-2026-46490
    Published: June 08, 2026; 3:16:45 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-48507 - Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which... read CVE-2026-48507
    Published: June 08, 2026; 1:16:52 PM -0400

  • CVE-2026-47328 - Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user ... read CVE-2026-47328
    Published: May 28, 2026; 3:16:40 PM -0400

  • CVE-2026-29167 - Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
    Published: June 08, 2026; 12:16:37 PM -0400

  • CVE-2026-29170 - A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to... read CVE-2026-29170
    Published: June 08, 2026; 12:16:38 PM -0400

  • CVE-2026-34355 - A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
    Published: June 08, 2026; 12:16:38 PM -0400

  • CVE-2026-11339 - A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the ... read CVE-2026-11339
    Published: June 05, 2026; 1:16:46 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-34356 - Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which... read CVE-2026-34356
    Published: June 08, 2026; 12:16:38 PM -0400

Created September 20, 2022 , Updated August 27, 2024