U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-20625 - A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3, macOS Sonoma 14.8.4, visionOS 26.3. An app may be able to access sensitive user data.
    Published: February 11, 2026; 6:16:05 PM -0500

  • CVE-2026-20626 - This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A malicious app may be able to gain root privileges.
    Published: February 11, 2026; 6:16:06 PM -0500

  • CVE-2026-20630 - A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to access protected user data.
    Published: February 11, 2026; 6:16:06 PM -0500

  • CVE-2026-20635 - The issue was addressed with improved memory handling. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content... read CVE-2026-20635
    Published: February 11, 2026; 6:16:06 PM -0500

  • CVE-2026-20644 - The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content may lead to an unexpecte... read CVE-2026-20644
    Published: February 11, 2026; 6:16:07 PM -0500

  • CVE-2026-1458 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by upload... read CVE-2026-1458
    Published: February 11, 2026; 7:16:04 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-1456 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted... read CVE-2026-1456
    Published: February 11, 2026; 7:16:04 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-1080 - GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private de... read CVE-2026-1080
    Published: February 11, 2026; 7:16:04 AM -0500

  • CVE-2026-24116 - Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more by... read CVE-2026-24116
    Published: January 27, 2026; 2:16:16 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-1387 - GitLab has remediated an issue in GitLab EE affecting all versions from 15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to cause Denial of Service by uploading a malicious file and repea... read CVE-2026-1387
    Published: February 11, 2026; 7:16:04 AM -0500

  • CVE-2026-24736 - Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook c... read CVE-2026-24736
    Published: January 27, 2026; 4:16:02 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-1282 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
    Published: February 11, 2026; 7:16:04 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-1094 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
    Published: February 11, 2026; 7:16:04 AM -0500

  • CVE-2025-14914 - IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution.
    Published: February 02, 2026; 11:16:17 AM -0500

    V3.1: 7.6 HIGH

  • CVE-2026-0595 - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses t... read CVE-2026-0595
    Published: February 11, 2026; 7:16:03 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-24741 - ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying... read CVE-2026-24741
    Published: January 27, 2026; 5:15:56 PM -0500

  • CVE-2025-54373 - OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical No... read CVE-2025-54373
    Published: January 27, 2026; 7:15:49 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-67645 - OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request paramet... read CVE-2025-67645
    Published: January 27, 2026; 7:15:49 PM -0500

  • CVE-2026-23830 - SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Func... read CVE-2026-23830
    Published: January 27, 2026; 7:15:50 PM -0500

  • CVE-2026-1466 - Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser previe... read CVE-2026-1466
    Published: January 28, 2026; 2:16:01 AM -0500

Created September 20, 2022 , Updated August 27, 2024