U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-37663 - Redmi router RB03 v1.0.57 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages.
    Published: June 17, 2024; 2:15:17 PM -0400

  • CVE-2024-32568 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA allows Reflected XSS.This issue affects WP 2FA: from n/a through 2.6.2.
    Published: April 18, 2024; 6:15:11 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-26058 - Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application appends sensitive authentication tokens directly to the URL.
    Published: February 18, 2025; 1:15:35 PM -0500

  • CVE-2025-25957 - Cross Site Scripting vulnerabilities in Xunruicms v.4.6.3 and before allows a remote attacker to escalate privileges via a crafted script.
    Published: February 20, 2025; 6:15:13 PM -0500

  • CVE-2024-32488 - In Foxit PDF Reader and Editor before 2024.1, Local Privilege Escalation could occur during update checks because weak permissions on the update-service folder allow attackers to place crafted DLL files there.
    Published: April 15, 2024; 2:15:07 AM -0400

  • CVE-2024-38657 - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.
    Published: February 20, 2025; 9:15:28 PM -0500

    V3.1: 4.9 MEDIUM

  • CVE-2024-42815 - In the TP-Link RE365 V1_180213, there is a buffer overflow vulnerability due to the lack of length verification for the USER_AGENT field in /usr/bin/httpd. Attackers who successfully exploit this vulnerability can cause the remote target device to... read CVE-2024-42815
    Published: August 19, 2024; 4:15:07 PM -0400

  • CVE-2025-25772 - A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request.
    Published: February 21, 2025; 2:15:14 PM -0500

  • CVE-2024-6448 - The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possibl... read CVE-2024-6448
    Published: August 28, 2024; 12:15:11 AM -0400

  • CVE-2024-2299 - A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malic... read CVE-2024-2299
    Published: May 14, 2024; 11:18:47 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-26877 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.30.
    Published: February 25, 2025; 10:15:24 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-2358 - A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, s... read CVE-2024-2358
    Published: May 16, 2024; 5:15:09 AM -0400

  • CVE-2024-2361 - A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py... read CVE-2024-2361
    Published: May 16, 2024; 5:15:10 AM -0400

  • CVE-2024-2366 - A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability ... read CVE-2024-2366
    Published: May 16, 2024; 5:15:10 AM -0400

  • CVE-2024-3126 - A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elemen... read CVE-2024-3126
    Published: May 16, 2024; 5:15:13 AM -0400

  • CVE-2024-3435 - A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' param... read CVE-2024-3435
    Published: May 16, 2024; 5:15:14 AM -0400

  • CVE-2024-4322 - A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directo... read CVE-2024-4322
    Published: May 16, 2024; 5:15:16 AM -0400

  • CVE-2024-4326 - A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protec... read CVE-2024-4326
    Published: May 16, 2024; 5:15:16 AM -0400

  • CVE-2024-4330 - A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a ma... read CVE-2024-4330
    Published: May 30, 2024; 11:15:49 AM -0400

    V3.1: 3.3 LOW

  • CVE-2024-2178 - A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating... read CVE-2024-2178
    Published: June 02, 2024; 7:15:07 AM -0400

Created September 20, 2022 , Updated August 27, 2024