U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-3398 - A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function configure of the file blogserver/src/main/java/org/sang/config/WebSecurityConfig.java. The manipulation leads to improper a... read CVE-2025-3398
    Published: April 07, 2025; 10:15:21 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-24911 - In rare scenarios, the cpca process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. When the cpca process is down, VPN and SIC connectivity issues may occur if the CRL is not present i... read CVE-2024-24911
    Published: February 06, 2025; 9:15:29 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-21691 - In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was m... read CVE-2025-21691
    Published: February 10, 2025; 11:15:38 AM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2025-1082 - A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected is an unknown function of the file /api/admin/question/edit of the component Exam Edit Handler. The manipulation of the argument title/content... read CVE-2025-1082
    Published: February 06, 2025; 6:15:08 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-45195 - Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to. Adminer is no longer supported, but t... read CVE-2023-45195
    Published: June 24, 2024; 6:15:10 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2023-45196 - Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits. Adminer i... read CVE-2023-45196
    Published: June 24, 2024; 5:15:25 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-28219 - In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
    Published: April 02, 2024; 11:15:09 PM -0400

    V3.1: 5.9 MEDIUM

  • CVE-2024-31450 - Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to del... read CVE-2024-31450
    Published: April 19, 2024; 3:15:06 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2023-48184 - QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.
    Published: April 23, 2024; 3:15:42 AM -0400

  • CVE-2023-48183 - QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.
    Published: April 23, 2024; 3:15:42 AM -0400

  • CVE-2024-3665 - The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping o... read CVE-2024-3665
    Published: April 23, 2024; 6:15:06 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-4172 - A vulnerability classified as problematic was found in idcCMS 1.35. Affected by this vulnerability is an unknown functionality of the file /admin/admin_cl.php?mudi=revPwd. The manipulation leads to cross-site request forgery. The attack can be lau... read CVE-2024-4172
    Published: April 25, 2024; 10:15:10 AM -0400

  • CVE-2024-4056 - Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
    Published: April 26, 2024; 2:15:06 AM -0400

  • CVE-2024-4257 - A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injec... read CVE-2024-4257
    Published: April 27, 2024; 12:15:07 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-7743 - Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation.This issue affects Omaspot: before 12.09.2025.
    Published: September 16, 2025; 8:15:34 AM -0400

    V3.1: 9.6 CRITICAL

  • CVE-2025-7744 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection.This issue affects Omaspot: before 12.09.2025.
    Published: September 16, 2025; 8:15:34 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-6575 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS.This issue affects Omaspot: before 12.09.2025.
    Published: September 16, 2025; 8:15:33 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-3230 - Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access ... read CVE-2025-3230
    Published: May 30, 2025; 11:15:41 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-4336 - Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details ... read CVE-2024-4336
    Published: April 30, 2024; 6:15:07 AM -0400

    V3.1: 7.4 HIGH

  • CVE-2025-2571 - Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via th... read CVE-2025-2571
    Published: May 30, 2025; 11:15:40 AM -0400

Created September 20, 2022 , Updated August 27, 2024