U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-34563 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling... read CVE-2026-34563
    Published: April 01, 2026; 6:16:19 PM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-34564 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding P... read CVE-2026-34564
    Published: April 01, 2026; 6:16:19 PM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-34590 - Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator tha... read CVE-2026-34590
    Published: April 02, 2026; 2:16:30 PM -0400

  • CVE-2026-34577 - Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is ur... read CVE-2026-34577
    Published: April 02, 2026; 2:16:30 PM -0400

  • CVE-2026-34576 - Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file ex... read CVE-2026-34576
    Published: April 02, 2026; 2:16:30 PM -0400

    V3.1: 7.7 HIGH

  • CVE-2026-34172 - Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A ... read CVE-2026-34172
    Published: March 31, 2026; 11:16:17 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-31935 - Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This i... read CVE-2026-31935
    Published: April 02, 2026; 11:16:37 AM -0400

  • CVE-2026-31934 - Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for URLs in mime encoded messages over SMTP leading to a performance impact. This issue has been patche... read CVE-2026-31934
    Published: April 02, 2026; 11:16:37 AM -0400

  • CVE-2026-31937 - Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.
    Published: April 02, 2026; 11:16:37 AM -0400

  • CVE-2026-29782 - OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oa... read CVE-2026-29782
    Published: April 02, 2026; 10:16:27 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-28805 - OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET p... read CVE-2026-28805
    Published: April 02, 2026; 10:16:26 AM -0400

  • CVE-2026-34387 - Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed ... read CVE-2026-34387
    Published: March 27, 2026; 3:16:43 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-34385 - Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the... read CVE-2026-34385
    Published: March 27, 2026; 3:16:43 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33504 - Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in i... read CVE-2026-33504
    Published: March 26, 2026; 2:16:31 PM -0400

  • CVE-2026-33496 - ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oaut... read CVE-2026-33496
    Published: March 26, 2026; 2:16:30 PM -0400

  • CVE-2026-33494 - ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker... read CVE-2026-33494
    Published: March 26, 2026; 2:16:30 PM -0400

  • CVE-2026-31350 - An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
    Published: April 06, 2026; 12:16:32 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-31351 - An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
    Published: April 06, 2026; 12:16:32 PM -0400

  • CVE-2026-31352 - An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.
    Published: April 06, 2026; 12:16:33 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-31353 - An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
    Published: April 06, 2026; 12:16:33 PM -0400

    V3.1: 5.4 MEDIUM

Created September 20, 2022 , Updated August 27, 2024