U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-2098 - AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
    Published: February 10, 2026; 2:16:14 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-2099 - AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.
    Published: February 10, 2026; 2:16:14 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-0651 - On TP-Link Tapo C260 v1, path traversal is possible due to improper handling of specific GET request paths via https, allowing local unauthenticated probing of filesystem paths. An attacker on the local network can determine whether certain files ... read CVE-2026-0651
    Published: February 10, 2026; 1:16:21 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-0652 - On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confi... read CVE-2026-0652
    Published: February 10, 2026; 1:16:22 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-0653 - On TP-Link Tapo C260 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attac... read CVE-2026-0653
    Published: February 10, 2026; 1:16:22 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-0783 - ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is requir... read CVE-2026-0783
    Published: January 22, 2026; 11:16:05 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-0784 - ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is requir... read CVE-2026-0784
    Published: January 22, 2026; 11:16:05 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-0796 - ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is requir... read CVE-2026-0796
    Published: January 22, 2026; 11:16:07 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-25646 - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When th... read CVE-2026-25646
    Published: February 10, 2026; 1:16:37 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2026-1588 - A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation ... read CVE-2026-1588
    Published: January 29, 2026; 9:16:13 AM -0500

    V3.1: 2.7 LOW

  • CVE-2026-25531 - Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allo... read CVE-2026-25531
    Published: February 13, 2026; 10:15:57 AM -0500

  • CVE-2026-20603 - This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26.3. An app with root privileges may be able to access private information.
    Published: February 11, 2026; 6:16:04 PM -0500

    V3.1: 4.4 MEDIUM

  • CVE-2026-21355 - DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this ... read CVE-2026-21355
    Published: February 10, 2026; 2:15:59 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-21354 - DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to cause the application to crash or become unre... read CVE-2026-21354
    Published: February 10, 2026; 2:15:59 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-21353 - DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that ... read CVE-2026-21353
    Published: February 10, 2026; 2:15:58 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-21352 - DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim mu... read CVE-2026-21352
    Published: February 10, 2026; 2:15:58 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-22764 - Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
    Published: January 29, 2026; 6:15:53 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-25893 - FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and ex... read CVE-2026-25893
    Published: February 09, 2026; 6:16:05 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-63652 - A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
    Published: January 29, 2026; 3:16:08 PM -0500

  • CVE-2025-63653 - An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
    Published: January 29, 2026; 3:16:08 PM -0500

Created September 20, 2022 , Updated August 27, 2024