U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-43609 - Microsoft Office Spoofing Vulnerability
    Published: October 08, 2024; 2:15:29 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2024-43497 - DeepSpeed Remote Code Execution Vulnerability
    Published: October 08, 2024; 2:15:11 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-43480 - Azure Service Fabric for Linux Remote Code Execution Vulnerability
    Published: October 08, 2024; 2:15:09 PM -0400

    V3.1: 6.6 MEDIUM

  • CVE-2024-48911 - OpenCanary, a multi-protocol network honeypot, directly executed commands taken from its config file. Prior to version 0.9.4, where the config file is stored in an unprivileged user directory but the daemon is executed by root, it’s possible for t... read CVE-2024-48911
    Published: October 14, 2024; 5:15:12 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-9687 - The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for a... read CVE-2024-9687
    Published: October 14, 2024; 10:15:02 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-6757 - The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt function. This makes it possible for authenticated at... read CVE-2024-6757
    Published: October 14, 2024; 10:15:02 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-43501 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
    Published: October 08, 2024; 2:15:11 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-30117 - A dynamic search for a prerequisite library could allow the possibility for an attacker to replace the correct file under some circumstances.
    Published: October 14, 2024; 7:15:11 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-43500 - Windows Resilient File System (ReFS) Information Disclosure Vulnerability
    Published: October 08, 2024; 2:15:11 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2024-9953 - A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the p... read CVE-2024-9953
    Published: October 14, 2024; 6:15:03 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2024-43502 - Windows Kernel Elevation of Privilege Vulnerability
    Published: October 08, 2024; 2:15:11 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2024-45461 - The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-admini... read CVE-2024-45461
    Published: October 16, 2024; 4:15:05 AM -0400

    V3.1: 6.3 MEDIUM

  • CVE-2024-9895 - The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping ... read CVE-2024-9895
    Published: October 15, 2024; 5:15:03 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-9944 - The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthentica... read CVE-2024-9944
    Published: October 15, 2024; 2:15:02 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-21535 - Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in the markdown.
    Published: October 15, 2024; 1:15:11 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-9971 - The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read, modify, or delete database contents.
    Published: October 15, 2024; 12:15:05 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-9970 - The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie.
    Published: October 15, 2024; 12:15:04 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-9964 - Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
    Published: October 15, 2024; 5:15:12 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-45462 - The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to... read CVE-2024-45462
    Published: October 16, 2024; 4:15:05 AM -0400

    V3.1: 7.1 HIGH

  • CVE-2024-45693 - Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenti... read CVE-2024-45693
    Published: October 16, 2024; 4:15:06 AM -0400

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024