U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-12018 - Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-9751 - The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
    Published: June 09, 2026; 7:17:04 PM -0400

  • CVE-2026-40988 - An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affect... read CVE-2026-40988
    Published: June 09, 2026; 8:16:49 PM -0400

  • CVE-2026-41003 - An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.... read CVE-2026-41003
    Published: June 09, 2026; 8:16:50 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-41694 - Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption ... read CVE-2026-41694
    Published: June 09, 2026; 8:16:50 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-66276 - QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later
    Published: June 09, 2026; 11:16:24 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-24717 - A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data... read CVE-2026-24717
    Published: June 10, 2026; 12:17:16 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-53819 - OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute uninten... read CVE-2026-53819
    Published: June 11, 2026; 5:16:24 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-53816 - OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send... read CVE-2026-53816
    Published: June 11, 2026; 5:16:23 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-53817 - OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient... read CVE-2026-53817
    Published: June 11, 2026; 5:16:23 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-53818 - OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the af... read CVE-2026-53818
    Published: June 11, 2026; 5:16:24 PM -0400

    V3.1: 6.6 MEDIUM

  • CVE-2026-26237 - A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the followi... read CVE-2026-26237
    Published: June 10, 2026; 12:17:19 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-20259 - In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege ... read CVE-2026-20259
    Published: June 10, 2026; 2:16:41 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-1220 - Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High)
    Published: June 10, 2026; 4:16:38 PM -0400

  • CVE-2026-42542 - TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No creden... read CVE-2026-42542
    Published: June 10, 2026; 6:16:57 PM -0400

  • CVE-2026-45504 - Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
    Published: June 09, 2026; 1:17:26 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-46669 - OpenVM is a performant and modular zkVM framework built for customization and extensibility. Prior to version 1.6.0, the openvm-pairing guest library's try_honest_pairing_check function invokes Theorem 3 of https://eprint.iacr.org/2024/640.pdf but... read CVE-2026-46669
    Published: June 10, 2026; 6:17:00 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-46609 - Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in v... read CVE-2026-46609
    Published: June 10, 2026; 1:16:37 PM -0400

  • CVE-2026-46616 - Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-con... read CVE-2026-46616
    Published: June 10, 2026; 1:16:37 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-53806 - OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without i... read CVE-2026-53806
    Published: June 11, 2026; 5:16:22 PM -0400

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024