U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-23308 - In the Linux kernel, the following vulnerability has been resolved: pinctrl: equilibrium: fix warning trace on load The callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also called in the callback function 'eqbr_irq_mask_ack()'. Thi... read CVE-2026-23308
    Published: March 25, 2026; 7:16:26 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-23309 - In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree()... read CVE-2026-23309
    Published: March 25, 2026; 7:16:26 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-23310 - In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible ... read CVE-2026-23310
    Published: March 25, 2026; 7:16:27 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-7101 - A vulnerability has been found in Tenda F456 1.0.0.5. This affects the function fromWrlclientSet of the file /goform/WrlclientSet of the component httpd. The manipulation leads to buffer overflow. Remote exploitation of the attack is possible. The... read CVE-2026-7101
    Published: April 27, 2026; 5:16:02 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-5781 - An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a man... read CVE-2026-5781
    Published: April 28, 2026; 9:19:22 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-45249 - A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and ... read CVE-2026-45249
    Published: May 25, 2026; 4:16:24 AM -0400

  • CVE-2026-43827 - Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the iss... read CVE-2026-43827
    Published: May 25, 2026; 5:16:34 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-43828 - Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-... read CVE-2026-43828
    Published: May 25, 2026; 5:16:34 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-44598 - With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using sh... read CVE-2026-44598
    Published: May 25, 2026; 5:16:34 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-44708 - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any H... read CVE-2026-44708
    Published: May 26, 2026; 5:16:38 PM -0400

  • CVE-2026-44896 - Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This ... read CVE-2026-44896
    Published: May 26, 2026; 5:16:39 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-44897 - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or ... read CVE-2026-44897
    Published: May 26, 2026; 5:16:39 PM -0400

  • CVE-2026-44898 - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the ... read CVE-2026-44898
    Published: May 26, 2026; 5:16:39 PM -0400

  • CVE-2026-48589 - Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect ta... read CVE-2026-48589
    Published: May 25, 2026; 5:16:35 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-44899 - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not... read CVE-2026-44899
    Published: May 26, 2026; 5:16:39 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-9207 - Tanium addressed an unauthorized code execution vulnerability in Connect.
    Published: May 26, 2026; 10:16:35 PM -0400

  • CVE-2026-44330 - free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a f... read CVE-2026-44330
    Published: May 27, 2026; 1:16:38 PM -0400

  • CVE-2026-8398 - A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2... read CVE-2026-8398
    Published: May 15, 2026; 5:16:17 AM -0400

  • CVE-2026-45498 - Microsoft Defender Denial of Service Vulnerability
    Published: May 20, 2026; 9:16:36 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-1402 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to i... read CVE-2026-1402
    Published: May 27, 2026; 3:16:15 PM -0400

Created September 20, 2022 , Updated August 27, 2024