U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-20429 - In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patc... read CVE-2026-20429
    Published: March 02, 2026; 4:16:16 AM -0500

  • CVE-2026-26339 - Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.
    Published: February 19, 2026; 1:25:00 PM -0500

  • CVE-2026-20430 - In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for explo... read CVE-2026-20430
    Published: March 02, 2026; 4:16:16 AM -0500

  • CVE-2026-20434 - In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges n... read CVE-2026-20434
    Published: March 02, 2026; 4:16:16 AM -0500

  • CVE-2026-26337 - Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
    Published: February 19, 2026; 1:24:59 PM -0500

  • CVE-2026-26338 - Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
    Published: February 19, 2026; 1:24:59 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-55749 - XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows... read CVE-2025-55749
    Published: December 01, 2025; 4:15:51 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-26710 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php.
    Published: March 02, 2026; 2:16:33 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26711 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php.
    Published: March 02, 2026; 2:16:33 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26712 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
    Published: March 02, 2026; 3:16:26 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26713 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php.
    Published: March 02, 2026; 3:16:27 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26077 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authen... read CVE-2026-26077
    Published: February 26, 2026; 10:17:36 AM -0500

  • CVE-2026-26078 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty st... read CVE-2026-26078
    Published: February 26, 2026; 11:24:06 AM -0500

  • CVE-2026-26207 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyContro... read CVE-2026-26207
    Published: February 26, 2026; 11:24:07 AM -0500

  • CVE-2026-26265 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all u... read CVE-2026-26265
    Published: February 26, 2026; 11:24:07 AM -0500

  • CVE-2026-26973 - Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belongi... read CVE-2026-26973
    Published: February 26, 2026; 3:31:37 PM -0500

  • CVE-2026-26979 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 p... read CVE-2026-26979
    Published: February 26, 2026; 3:31:37 PM -0500

    V3.1: 2.7 LOW

  • CVE-2026-24479 - HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP a... read CVE-2026-24479
    Published: January 26, 2026; 8:16:02 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27021 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Ve... read CVE-2026-27021
    Published: February 26, 2026; 4:28:53 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2026-24408 - sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sen... read CVE-2026-24408
    Published: January 26, 2026; 6:16:08 PM -0500

    V3.1: 5.0 MEDIUM

Created September 20, 2022 , Updated August 27, 2024