U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-26887 - Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php.
    Published: March 03, 2026; 3:16:48 PM -0500

  • CVE-2026-26888 - Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php.
    Published: March 03, 2026; 3:16:48 PM -0500

  • CVE-2026-26889 - Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php.
    Published: March 03, 2026; 3:16:48 PM -0500

  • CVE-2026-26891 - Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_parcel_type.php.
    Published: March 03, 2026; 3:16:49 PM -0500

  • CVE-2025-13686 - IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component.
    Published: March 03, 2026; 4:15:55 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-13687 - IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function c... read CVE-2025-13687
    Published: March 03, 2026; 4:15:56 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-13688 - IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component.
    Published: March 03, 2026; 4:15:56 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27495 - n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute a... read CVE-2026-27495
    Published: February 25, 2026; 6:16:20 PM -0500

    V3.1: 9.9 CRITICAL

  • CVE-2026-27497 - n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and wri... read CVE-2026-27497
    Published: February 25, 2026; 6:16:21 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27498 - n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code... read CVE-2026-27498
    Published: February 25, 2026; 6:16:21 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27577 - n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permis... read CVE-2026-27577
    Published: February 25, 2026; 6:16:21 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27578 - n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using ... read CVE-2026-27578
    Published: February 25, 2026; 6:16:21 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-27613 - TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration ... read CVE-2026-27613
    Published: February 25, 2026; 6:16:21 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27800 - Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames... read CVE-2026-27800
    Published: February 25, 2026; 7:16:25 PM -0500

    V3.1: 7.4 HIGH

  • CVE-2026-27804 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as ... read CVE-2026-27804
    Published: February 25, 2026; 7:16:25 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2026-28555 - wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the ... read CVE-2026-28555
    Published: February 28, 2026; 5:16:02 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-28556 - wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form no... read CVE-2026-28556
    Published: February 28, 2026; 5:16:02 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-28557 - wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to ... read CVE-2026-28557
    Published: February 28, 2026; 5:16:02 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-28558 - wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection ... read CVE-2026-28558
    Published: February 28, 2026; 5:16:02 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-28559 - wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, b... read CVE-2026-28559
    Published: February 28, 2026; 5:16:02 PM -0500

    V3.1: 5.3 MEDIUM

Created September 20, 2022 , Updated August 27, 2024