U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

The letters N V D typed out in binary
New 2.0 APIs
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-2691 - The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events' shortcode in all versions up to, and including, 3.1.43 due to insuffic... read CVE-2024-2691
    Published: July 16, 2024; 5:15:02 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-5852 - The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.24.7 via the 'uploadpath' parameter of the wordpress_file_upload shortcode. This makes it possible for authenticated attack... read CVE-2024-5852
    Published: July 16, 2024; 5:15:03 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-6621 - The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source'... read CVE-2024-6621
    Published: July 16, 2024; 7:15:10 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-40414 - A vulnerability in /goform/SetNetControlList in the sub_656BC function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.
    Published: July 15, 2024; 1:15:02 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-40415 - A vulnerability in /goform/SetStaticRouteCfg in the sub_519F4 function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.
    Published: July 15, 2024; 2:15:05 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-40416 - A vulnerability in /goform/SetVirtualServerCfg in the sub_6320C function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.
    Published: July 15, 2024; 2:15:05 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-6989 - Use after free in Loader in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Published: August 06, 2024; 12:15:49 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-6994 - Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-6991 - Use after free in Dawn in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-7000 - Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-6996 - Race in Frames in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 3.1 LOW

  • CVE-2024-6999 - Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-7001 - Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-7004 - Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chro... read CVE-2024-7004
    Published: August 06, 2024; 12:15:50 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-23456 - Anti-tampering can be disabled under certain conditions without signature validation. This affects Zscaler Client Connector <4.2.0.190 with anti-tampering enabled.
    Published: August 06, 2024; 12:15:47 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-7552 - A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The ma... read CVE-2024-7552
    Published: August 06, 2024; 11:15:42 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2023-28806 - An Improper Validation of signature in Zscaler Client Connector on Windows allows an authenticated user to disable anti-tampering. This issue affects Client Connector on Windows <4.2.0.190.
    Published: August 06, 2024; 12:15:46 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2024-23458 - While copying individual autoupdater log files, reparse point check was missing which could result into crafted attacks, potentially leading to a local privilege escalation. This issue affects Zscaler Client Connector on Windows <4.2.0.190.
    Published: August 06, 2024; 12:15:47 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-23460 - The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed. This affects Zscaler Client Connector on MacOS <4.2.
    Published: August 06, 2024; 12:15:47 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-23464 - In certain cases, Zscaler Internet Access (ZIA) can be disabled by PowerShell commands with admin rights. This affects Zscaler Client Connector on Windows <4.2.1
    Published: August 06, 2024; 12:15:47 PM -0400

    V3.1: 4.9 MEDIUM

Created September 20, 2022 , Updated ...