U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-34877 - An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, ... read CVE-2026-34877
    Published: April 02, 2026; 1:16:26 PM -0400

  • CVE-2026-34426 - OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables ... read CVE-2026-34426
    Published: April 02, 2026; 3:21:31 PM -0400

    V3.1: 7.3 HIGH

  • CVE-2026-30273 - pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.
    Published: April 01, 2026; 1:28:38 PM -0400

  • CVE-2026-34528 - File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Def... read CVE-2026-34528
    Published: April 01, 2026; 5:17:00 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-34529 - File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scriptin... read CVE-2026-34529
    Published: April 01, 2026; 5:17:00 PM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-34530 - File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS)... read CVE-2026-34530
    Published: April 01, 2026; 5:17:00 PM -0400

  • CVE-2026-34118 - A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when... read CVE-2026-34118
    Published: April 02, 2026; 2:16:28 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34119 - A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP parsing loop when appending segmented request bodies without continuous write‑boundary verification, due to insufficient boundary validation when... read CVE-2026-34119
    Published: April 02, 2026; 2:16:28 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34120 - A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.... read CVE-2026-34120
    Published: April 02, 2026; 2:16:28 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34121 - An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unaut... read CVE-2026-34121
    Published: April 02, 2026; 2:16:28 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-34122 - A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long val... read CVE-2026-34122
    Published: April 02, 2026; 2:16:29 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34124 - A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed duri... read CVE-2026-34124
    Published: April 02, 2026; 2:16:29 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-5334 - A weakness has been identified in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=edit&id=3 of the component Parameter Handler. This manipulation of the argument deptid causes sql i... read CVE-2026-5334
    Published: April 02, 2026; 10:16:37 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-32213 - Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
    Published: April 02, 2026; 8:16:04 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-35616 - A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
    Published: April 03, 2026; 9:16:39 PM -0400

  • CVE-2026-32211 - Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.
    Published: April 02, 2026; 8:16:04 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-32173 - Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.
    Published: April 02, 2026; 8:16:04 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33107 - Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
    Published: April 02, 2026; 8:16:05 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-26135 - Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.
    Published: April 02, 2026; 8:16:04 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-27599 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System... read CVE-2026-27599
    Published: March 30, 2026; 5:17:08 PM -0400

    V3.1: 7.2 HIGH

Created September 20, 2022 , Updated August 27, 2024