U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-47280 - Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
    Published: May 22, 2026; 7:16:56 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-42348 - OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no uppe... read CVE-2026-42348
    Published: May 12, 2026; 2:17:24 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2018-25357 - Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with ... read CVE-2018-25357
    Published: May 23, 2026; 3:16:56 PM -0400

  • CVE-2026-48694 - FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpo... read CVE-2026-48694
    Published: May 26, 2026; 2:16:52 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-48695 - FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by co... read CVE-2026-48695
    Published: May 26, 2026; 2:16:52 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-48696 - FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689.
    Published: May 26, 2026; 2:16:53 PM -0400

    V3.1: 6.2 MEDIUM

  • CVE-2026-4051 - IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
    Published: May 26, 2026; 3:16:28 PM -0400

  • CVE-2026-44730 - OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to thei... read CVE-2026-44730
    Published: May 26, 2026; 2:16:51 PM -0400

  • CVE-2026-48697 - FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_def... read CVE-2026-48697
    Published: May 26, 2026; 1:16:53 PM -0400

    V3.1: 7.4 HIGH

  • CVE-2026-46745 - Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immedi... read CVE-2026-46745
    Published: May 25, 2026; 7:16:18 AM -0400

  • CVE-2026-48691 - FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_elem... read CVE-2026-48691
    Published: May 26, 2026; 1:16:53 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-41069 - libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0... read CVE-2026-41069
    Published: May 22, 2026; 5:16:43 PM -0400

  • CVE-2026-41071 - libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bo... read CVE-2026-41071
    Published: May 22, 2026; 6:16:55 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-8492 - Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
    Published: May 19, 2026; 7:16:58 PM -0400

  • CVE-2026-8495 - Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.
    Published: May 19, 2026; 7:16:59 PM -0400

  • CVE-2026-8493 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
    Published: May 19, 2026; 7:16:58 PM -0400

  • CVE-2026-41315 - mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to mod... read CVE-2026-41315
    Published: May 14, 2026; 3:16:35 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-8491 - Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
    Published: May 19, 2026; 7:16:58 PM -0400

  • CVE-2026-45361 - Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Us... read CVE-2026-45361
    Published: May 25, 2026; 6:16:15 AM -0400

  • CVE-2026-40033 - FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but p... read CVE-2026-40033
    Published: May 26, 2026; 11:16:34 AM -0400

Created September 20, 2022 , Updated August 27, 2024