U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-0385 - Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
    Published: March 16, 2026; 10:18:06 AM -0400

    V3.1: 5.0 MEDIUM

  • CVE-2026-33952 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client co... read CVE-2026-33952
    Published: March 30, 2026; 6:16:18 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33977 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidat... read CVE-2026-33977
    Published: March 30, 2026; 6:16:19 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33982 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in vers... read CVE-2026-33982
    Published: March 30, 2026; 6:16:19 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33983 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped val... read CVE-2026-33983
    Published: March 30, 2026; 6:16:19 PM -0400

  • CVE-2026-33984 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails... read CVE-2026-33984
    Published: March 30, 2026; 6:16:19 PM -0400

  • CVE-2026-33985 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
    Published: March 30, 2026; 6:16:19 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2026-34442 - FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into ... read CVE-2026-34442
    Published: March 31, 2026; 6:16:19 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-33986 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() cal... read CVE-2026-33986
    Published: March 30, 2026; 6:16:19 PM -0400

  • CVE-2026-34506 - OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty group... read CVE-2026-34506
    Published: March 31, 2026; 8:16:30 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-33576 - OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rej... read CVE-2026-33576
    Published: March 31, 2026; 11:16:14 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33577 - OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in ... read CVE-2026-33577
    Published: March 31, 2026; 11:16:14 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33578 - OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to b... read CVE-2026-33578
    Published: March 31, 2026; 11:16:14 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2017-6052 - A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints.
    Published: April 26, 2017; 10:59:00 AM -0400

    V3.1: 3.7 LOW
     V2.0: 4.3 MEDIUM

  • CVE-2017-6054 - A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.
    Published: April 26, 2017; 10:59:00 AM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2025-55618 - In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered.
    Published: August 27, 2025; 4:15:33 PM -0400

  • CVE-2026-33579 - OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve p... read CVE-2026-33579
    Published: March 31, 2026; 11:16:14 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-30580 - File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.
    Published: March 20, 2026; 2:16:13 PM -0400

  • CVE-2026-30579 - File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.
    Published: March 20, 2026; 2:16:13 PM -0400

  • CVE-2026-33581 - OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploi... read CVE-2026-33581
    Published: March 31, 2026; 11:16:15 AM -0400

    V3.1: 8.6 HIGH

Created September 20, 2022 , Updated August 27, 2024