U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-23276 - In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode... read CVE-2026-23276
    Published: March 20, 2026; 5:16:13 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-8992 - An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
    Published: May 22, 2026; 11:16:26 AM -0400

  • CVE-2026-23277 - In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but d... read CVE-2026-23277
    Published: March 20, 2026; 5:16:13 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-43422 - In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This ch... read CVE-2026-43422
    Published: May 08, 2026; 11:16:54 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-23278 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending... read CVE-2026-23278
    Published: March 20, 2026; 5:16:13 AM -0400

  • CVE-2026-43423 - In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function ... read CVE-2026-43423
    Published: May 08, 2026; 11:16:54 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-43433 - In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are r... read CVE-2026-43433
    Published: May 08, 2026; 11:16:55 AM -0400

  • CVE-2026-43434 - In the Linux kernel, the following vulnerability has been resolved: rust_binder: check ownership before using vma When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_pag... read CVE-2026-43434
    Published: May 08, 2026; 11:16:55 AM -0400

  • CVE-2026-43435 - In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being... read CVE-2026-43435
    Published: May 08, 2026; 11:16:55 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-3473 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via... read CVE-2026-3473
    Published: May 22, 2026; 7:16:22 AM -0400

    V3.1: 7.1 HIGH

  • CVE-2026-3636 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about t... read CVE-2026-3636
    Published: May 22, 2026; 7:16:22 AM -0400

  • CVE-2026-4635 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persi... read CVE-2026-4635
    Published: May 22, 2026; 7:16:22 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2026-4646 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP reques... read CVE-2026-4646
    Published: May 22, 2026; 7:16:22 AM -0400

  • CVE-2026-5308 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP reques... read CVE-2026-5308
    Published: May 22, 2026; 7:16:23 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-32311 - Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have contro... read CVE-2026-32311
    Published: April 20, 2026; 4:16:48 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-5740 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server p... read CVE-2026-5740
    Published: May 22, 2026; 7:16:23 AM -0400

  • CVE-2026-5755 - Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or... read CVE-2026-5755
    Published: May 22, 2026; 7:16:23 AM -0400

  • CVE-2026-9089 - The ConnectWise Automateā„¢ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
    Published: May 21, 2026; 12:16:23 PM -0400

  • CVE-2026-45206 - An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechanism. Pl... read CVE-2026-45206
    Published: May 21, 2026; 10:16:47 AM -0400

  • CVE-2026-45207 - An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechanism. Pl... read CVE-2026-45207
    Published: May 21, 2026; 10:16:48 AM -0400

Created September 20, 2022 , Updated August 27, 2024