U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-52637 - HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactio... read CVE-2025-52637
    Published: March 16, 2026; 10:17:59 AM -0400

    V3.1: 7.3 HIGH

  • CVE-2025-52638 - HCL AION is affected by a vulnerability where generated containers may execute binaries with root-level privileges. Running containers with root privileges may increase the potential security risk, as it grants elevated permissions within the cont... read CVE-2025-52638
    Published: March 16, 2026; 10:17:59 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-52648 - HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended beha... read CVE-2025-52648
    Published: March 16, 2026; 10:17:59 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-32937 - free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/... read CVE-2026-32937
    Published: March 19, 2026; 11:16:00 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33062 - free5GC is an open source 5G core network. free5GC NRF prior to version 1.4.2 has an Improper Input Validation vulnerability leading to Denial of Service. All deployments of free5GC using the NRF discovery service are affected. The `EncodeGroupId`... read CVE-2026-33062
    Published: March 19, 2026; 11:16:01 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33063 - free5GC is an open source 5G core network. free5GC AUSF prior to version 1.4.2 has is an Improper Null Check vulnerability leading to Denial of Service. All deployments of free5GC v4.0.1 using the AUSF UE authentication service (`/nausf-auth/v1/ue... read CVE-2026-33063
    Published: March 19, 2026; 11:16:01 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2020-37140 - Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated character... read CVE-2020-37140
    Published: February 05, 2026; 12:16:09 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2019-25631 - AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode. Attackers can inject egg hunter shellcode ... read CVE-2019-25631
    Published: March 24, 2026; 8:16:03 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2019-25629 - AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a malicious CSV log file path. Attackers can inject shel... read CVE-2019-25629
    Published: March 24, 2026; 8:16:02 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-33335 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any valid... read CVE-2026-33335
    Published: March 24, 2026; 12:16:33 PM -0400

    V3.1: 8.0 HIGH

  • CVE-2019-25360 - Aida64 Engineer 6.10.5200 contains a buffer overflow vulnerability in the CSV logging configuration that allows attackers to execute malicious code by crafting a specially designed payload. Attackers can exploit the vulnerability by creating a mal... read CVE-2019-25360
    Published: February 18, 2026; 5:16:21 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-33336 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navig... read CVE-2026-33336
    Published: March 24, 2026; 12:16:33 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-33473 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the ... read CVE-2026-33473
    Published: March 24, 2026; 12:16:33 PM -0400

  • CVE-2026-33474 - Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compresse... read CVE-2026-33474
    Published: March 24, 2026; 12:16:33 PM -0400

  • CVE-2026-33668 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Thr... read CVE-2026-33668
    Published: March 24, 2026; 12:16:34 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33677 - Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any u... read CVE-2026-33677
    Published: March 24, 2026; 12:16:35 PM -0400

  • CVE-2026-28256 - A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
    Published: March 12, 2026; 2:16:23 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-28255 - A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
    Published: March 12, 2026; 2:16:23 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-28254 - A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
    Published: March 12, 2026; 2:16:23 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-28253 - A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
    Published: March 12, 2026; 2:16:23 PM -0400

    V3.1: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024