U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-30289 - ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A low ... read CVE-2025-30289
    Published: April 08, 2025; 4:15:26 PM -0400

    V3.1: 8.2 HIGH

  • CVE-2024-40717 - A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a ne... read CVE-2024-40717
    Published: December 03, 2024; 9:15:04 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-42451 - A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a maliciou... read CVE-2024-42451
    Published: December 03, 2024; 9:15:04 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-42452 - A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the ... read CVE-2024-42452
    Published: December 03, 2024; 9:15:04 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-42453 - A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make confi... read CVE-2024-42453
    Published: December 03, 2024; 9:15:04 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2024-42455 - A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete any file ... read CVE-2024-42455
    Published: December 03, 2024; 9:15:04 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2024-42456 - A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on ... read CVE-2024-42456
    Published: December 03, 2024; 9:15:05 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-42457 - A vulnerability in Veeam Backup & Replication allows users with certain operator roles to expose saved credentials by leveraging a combination of methods in a remote management interface. This can be achieved using a session object that allows for... read CVE-2024-42457
    Published: December 03, 2024; 9:15:05 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-37547 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Livemesh Livemesh Addons for Elementor.This issue affects Livemesh Addons for Elementor: from n/a through 8.4.0.
    Published: July 06, 2024; 11:15:10 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2023-2603 - A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
    Published: June 06, 2023; 4:15:13 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-0864 - Enabling Simple Ajax Uploader plugin included in Laragon open-source software allows for a remote code execution (RCE) attack via an improper input validation in a file_upload.php file which serves as an example. By default, Laragon is not vulnera... read CVE-2024-0864
    Published: February 29, 2024; 8:15:07 AM -0500

  • CVE-2024-45204 - A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacti... read CVE-2024-45204
    Published: December 03, 2024; 9:15:05 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2024-54927 - Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_users.php.
    Published: December 09, 2024; 2:15:16 PM -0500

  • CVE-2024-54928 - kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_teacher.php,
    Published: December 09, 2024; 2:15:16 PM -0500

  • CVE-2024-41446 - A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.
    Published: April 21, 2025; 10:15:35 AM -0400

  • CVE-2024-42699 - Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field
    Published: April 21, 2025; 11:15:58 AM -0400

  • CVE-2025-28121 - code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code.
    Published: April 21, 2025; 11:15:59 AM -0400

  • CVE-2025-29287 - An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.
    Published: April 21, 2025; 11:15:59 AM -0400

  • CVE-2025-43919 - GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter.
    Published: April 19, 2025; 9:15:45 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-43920 - GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.
    Published: April 19, 2025; 9:15:45 PM -0400

    V3.1: 8.1 HIGH

Created September 20, 2022 , Updated August 27, 2024