U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-46101 - SQL Injection vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version before 5.4.3 allows a remote attacker to obtain sensitive information via the ks parameter in json_scorm.php file
    Published: June 23, 2025; 11:15:27 AM -0400

  • CVE-2025-46612 - The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console ... read CVE-2025-46612
    Published: June 10, 2025; 11:15:25 AM -0400

  • CVE-2025-59238 - Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
    Published: October 14, 2025; 1:16:05 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-59243 - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
    Published: October 14, 2025; 1:16:06 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-59221 - Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
    Published: October 14, 2025; 1:16:02 PM -0400

    V3.1: 7.0 HIGH

  • CVE-2025-46398 - In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation via read_objects function.
    Published: April 23, 2025; 5:15:16 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-59222 - Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
    Published: October 14, 2025; 1:16:02 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-59232 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
    Published: October 14, 2025; 1:16:04 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-59235 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
    Published: October 14, 2025; 1:16:05 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-59218 - Azure Entra ID Elevation of Privilege Vulnerability
    Published: October 09, 2025; 5:15:38 PM -0400

    V3.1: 9.6 CRITICAL

  • CVE-2025-59246 - Azure Entra ID Elevation of Privilege Vulnerability
    Published: October 09, 2025; 5:15:38 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-46399 - A flaw was found in fig2dev. This vulnerability allows availability via local input manipulation via genge_itp_spline function.
    Published: April 23, 2025; 5:15:17 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-46400 - In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function.
    Published: April 23, 2025; 5:15:17 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-46546 - In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/expo... read CVE-2025-46546
    Published: April 24, 2025; 11:15:20 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-46547 - In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.
    Published: April 24, 2025; 11:15:20 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-46653 - Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in whic... read CVE-2025-46653
    Published: April 26, 2025; 5:15:14 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-46656 - python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.
    Published: April 26, 2025; 6:15:17 PM -0400

    V3.1: 3.3 LOW

  • CVE-2025-10035 - A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
    Published: September 18, 2025; 6:15:41 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-50175 - Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.
    Published: October 14, 2025; 1:15:43 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-59223 - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
    Published: October 14, 2025; 1:16:02 PM -0400

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated August 27, 2024