U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-65844 - EverShop 2.0.1 allows an unauthenticated user to upload files and create directories within the /api/images endpoint.
    Published: December 02, 2025; 1:15:49 PM -0500

  • CVE-2025-13492 - A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages.
    Published: December 03, 2025; 12:15:49 PM -0500

    V3.1: 7.0 HIGH

  • CVE-2025-12819 - Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
    Published: December 03, 2025; 2:15:55 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2025-41079 - A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parĂ¡metro 'name' in '/api/v2.1/use... read CVE-2025-41079
    Published: December 04, 2025; 7:16:20 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-41080 - A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parĂ¡metro 'p' in '/api/v2.1/repos... read CVE-2025-41080
    Published: December 04, 2025; 7:16:22 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-65403 - A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: December 01, 2025; 11:15:57 AM -0500

  • CVE-2023-32969 - A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerabil... read CVE-2023-32969
    Published: March 08, 2024; 12:15:21 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2024-45538 - Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary ... read CVE-2024-45538
    Published: December 04, 2025; 10:15:54 AM -0500

    V3.1: 9.6 CRITICAL

  • CVE-2024-45539 - Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks ... read CVE-2024-45539
    Published: December 04, 2025; 10:15:54 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-5401 - Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows... read CVE-2024-5401
    Published: December 04, 2025; 10:15:54 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-29843 - A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.
    Published: December 04, 2025; 10:15:56 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-29844 - A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.
    Published: December 04, 2025; 10:15:56 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2025-29845 - A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.
    Published: December 04, 2025; 10:15:56 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2025-29846 - A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.
    Published: December 04, 2025; 10:15:56 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2024-21905 - An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed th... read CVE-2024-21905
    Published: April 26, 2024; 11:15:48 AM -0400

    V3.1: 8.2 HIGH

  • CVE-2024-27124 - An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the followin... read CVE-2024-27124
    Published: April 26, 2024; 11:15:48 AM -0400

  • CVE-2023-47222 - An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerabili... read CVE-2023-47222
    Published: April 26, 2024; 11:15:46 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-53684 - A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger th... read CVE-2024-53684
    Published: December 01, 2025; 11:15:50 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-49572 - A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials bein... read CVE-2024-49572
    Published: December 01, 2025; 11:15:50 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-50406 - A cross-site scripting (XSS) vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data. We have alread... read CVE-2024-50406
    Published: June 06, 2025; 12:15:23 PM -0400

    V3.1: 5.4 MEDIUM

Created September 20, 2022 , Updated August 27, 2024