U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-28864 - SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This o... read CVE-2024-28864
    Published: March 18, 2024; 6:15:09 PM -0400

  • CVE-2024-1432 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22 and classified as problematic. This issue affects the function apply_xseg of the file main.py. The manipulation leads to deserialization.... read CVE-2024-1432
    Published: February 10, 2024; 10:15:08 PM -0500

  • CVE-2025-61924 - PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerab... read CVE-2025-61924
    Published: October 16, 2025; 2:15:39 PM -0400

  • CVE-2025-61922 - PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account tak... read CVE-2025-61922
    Published: October 16, 2025; 2:15:38 PM -0400

  • CVE-2025-61923 - PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vul... read CVE-2025-61923
    Published: October 16, 2025; 2:15:38 PM -0400

  • CVE-2025-49131 - FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safe... read CVE-2025-49131
    Published: June 09, 2025; 9:15:24 AM -0400

    V3.1: 9.9 CRITICAL

  • CVE-2025-27600 - FastGPT is a knowledge-based platform built on the LLMs. Since the web crawling plug-in does not perform intranet IP verification, an attacker can initiate an intranet IP request, causing the system to initiate a request through the intranet and p... read CVE-2025-27600
    Published: March 06, 2025; 2:15:28 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-62612 - FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1.
    Published: October 22, 2025; 5:15:46 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-52552 - FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute mali... read CVE-2025-52552
    Published: June 20, 2025; 11:15:24 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-62690 - Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.
    Published: December 17, 2025; 8:15:58 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-62190 - Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject mess... read CVE-2025-62190
    Published: December 17, 2025; 8:15:58 AM -0500

  • CVE-2025-13352 - Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary ... read CVE-2025-13352
    Published: December 17, 2025; 8:15:56 AM -0500

  • CVE-2025-14273 - Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plug... read CVE-2025-14273
    Published: December 22, 2025; 7:16:19 AM -0500

    V3.1: 8.3 HIGH

  • CVE-2025-13324 - Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows a... read CVE-2025-13324
    Published: December 17, 2025; 2:16:01 PM -0500

  • CVE-2025-12689 - Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
    Published: December 17, 2025; 2:16:00 PM -0500

  • CVE-2025-12771 - IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
    Published: December 26, 2025; 8:15:45 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-1721 - IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
    Published: December 26, 2025; 8:15:46 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-36228 - IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.
    Published: December 26, 2025; 10:15:46 AM -0500

    V3.1: 3.8 LOW

  • CVE-2025-36229 - IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
    Published: December 26, 2025; 10:15:46 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2025-36230 - IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
    Published: December 26, 2025; 10:15:46 AM -0500

    V3.1: 5.4 MEDIUM

Created September 20, 2022 , Updated August 27, 2024