U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-12900 - A vulnerability classified as critical has been found in FoxCMS up to 1.2. Affected is an unknown function of the file /install/installdb.php of the component Configuration File Handler. The manipulation of the argument database password leads to ... read CVE-2024-12900
    Published: December 22, 2024; 9:15:05 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-3792 - A vulnerability, which was classified as critical, has been found in SeaCMS up to 13.3. This issue affects some unknown processing of the file /admin_link.php?action=delall. The manipulation of the argument e_id leads to sql injection. The attack ... read CVE-2025-3792
    Published: April 18, 2025; 11:15:59 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-3797 - A vulnerability classified as critical was found in SeaCMS up to 13.3. This vulnerability affects unknown code of the file /admin_topic.php?action=delall. The manipulation of the argument e_id leads to sql injection. The attack can be initiated re... read CVE-2025-3797
    Published: April 19, 2025; 3:15:13 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2024-10116 - The Twitter Follow Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'username' parameter in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible f... read CVE-2024-10116
    Published: November 22, 2024; 11:15:07 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-3798 - A vulnerability, which was classified as critical, has been found in WCMS 11. This issue affects the function sub of the file app/admin/AdvadminController.php of the component Advertisement Image Handler. The manipulation leads to unrestricted upl... read CVE-2025-3798
    Published: April 19, 2025; 6:15:15 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-3799 - A vulnerability, which was classified as critical, was found in WCMS 11. Affected is an unknown function of the file app/controllers/AnonymousController.php. The manipulation of the argument email/username leads to sql injection. It is possible to... read CVE-2025-3799
    Published: April 19, 2025; 7:15:48 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-3800 - A vulnerability has been found in WCMS 11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/controllers/AnonymousController.php. The manipulation of the argument mobile_phone leads to sql inject... read CVE-2025-3800
    Published: April 19, 2025; 8:15:13 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-56325 - Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hac... read CVE-2024-56325
    Published: April 01, 2025; 5:15:15 AM -0400

  • CVE-2023-40714 - A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements
    Published: April 02, 2025; 4:15:13 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-56475 - IBM TXSeries for Multiplatforms 9.1 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to cr... read CVE-2024-56475
    Published: April 02, 2025; 12:17:39 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-0154 - IBM TXSeries for Multiplatforms 9.1 and 11.1 could disclose sensitive information to a remote attacker due to improper neutralization of HTTP headers.
    Published: April 02, 2025; 12:17:40 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-56476 - IBM TXSeries for Multiplatforms 9.1 and 11.1 could allow an attacker to enumerate usernames due to an observable login attempt response discrepancy.
    Published: April 02, 2025; 12:17:40 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-30677 - Apache Pulsar contains multiple connectors for integrating with Apache Kafka. The Pulsar IO Apache Kafka Source Connector, Sink Connector, and Kafka Connect Adaptor Sink Connector log sensitive configuration properties in plain text in application... read CVE-2025-30677
    Published: April 09, 2025; 8:15:15 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-31672 - Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicat... read CVE-2025-31672
    Published: April 09, 2025; 8:15:15 AM -0400

  • CVE-2019-16149 - An Improper Neutralization of Input During Web Page Generation in FortiClientEMS version 6.2.0 may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by t... read CVE-2019-16149
    Published: March 28, 2025; 6:15:13 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-58130 - In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
    Published: March 28, 2025; 6:15:17 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-2549 - A vulnerability has been found in D-Link DIR-618 and DIR-605L 2.02/3.02 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/formSetPassword. The manipulation leads to improper access contro... read CVE-2025-2549
    Published: March 20, 2025; 1:15:38 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-2711 - A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. It has been classified as problematic. Affected is an unknown function of the file /help/systop.jsp. The manipulation of the argument langcode leads to cross site scripting. It is possible to l... read CVE-2025-2711
    Published: March 24, 2025; 5:15:18 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-2547 - A vulnerability, which was classified as problematic, has been found in D-Link DIR-618 and DIR-605L 2.02/3.02. This issue affects some unknown processing of the file /goform/formAdvNetwork. The manipulation leads to improper access controls. The a... read CVE-2025-2547
    Published: March 20, 2025; 12:15:16 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2025-46953 - Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript ... read CVE-2025-46953
    Published: June 10, 2025; 7:15:39 PM -0400

    V3.1: 5.4 MEDIUM

Created September 20, 2022 , Updated August 27, 2024