U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-30078 - OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome.
    Published: April 06, 2026; 10:16:22 AM -0400

  • CVE-2026-31058 - UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlobal function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted in... read CVE-2026-31058
    Published: April 06, 2026; 11:17:08 AM -0400

  • CVE-2026-31060 - UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the notes parameter of the formGroupConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: April 06, 2026; 11:17:08 AM -0400

  • CVE-2026-31061 - UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the timestart parameter of the ConfigAdvideo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: April 06, 2026; 11:17:08 AM -0400

  • CVE-2026-31063 - UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the pools parameter of the formArpBindConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: April 06, 2026; 11:17:08 AM -0400

  • CVE-2026-31066 - UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the selDateType parameter of the formTaskEdit function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: April 06, 2026; 11:17:09 AM -0400

  • CVE-2026-31150 - Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.
    Published: April 06, 2026; 11:17:09 AM -0400

  • CVE-2026-31151 - An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.
    Published: April 06, 2026; 11:17:09 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-32602 - Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registrati... read CVE-2026-32602
    Published: April 06, 2026; 11:17:10 AM -0400

  • CVE-2026-33403 - Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inje... read CVE-2026-33403
    Published: April 06, 2026; 11:17:10 AM -0400

  • CVE-2026-29510 - Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Name field. Attackers can inject malicious scrip... read CVE-2026-29510
    Published: March 16, 2026; 2:16:08 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-29513 - Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by manipulating the Device Location field. Attackers can inject malicious s... read CVE-2026-29513
    Published: March 16, 2026; 2:16:08 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-29520 - Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with inje... read CVE-2026-29520
    Published: March 16, 2026; 2:16:08 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-29521 - Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages th... read CVE-2026-29521
    Published: March 16, 2026; 2:16:08 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-4147 - An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
    Published: March 17, 2026; 12:16:23 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-4148 - A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
    Published: March 17, 2026; 12:16:23 PM -0400

  • CVE-2025-68278 - Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute ... read CVE-2025-68278
    Published: December 18, 2025; 11:15:57 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-15056 - A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3.
    Published: January 13, 2026; 4:15:49 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-68429 - Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environ... read CVE-2025-68429
    Published: December 17, 2025; 6:16:05 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2026-35508 - Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,
    Published: April 02, 2026; 10:16:15 PM -0400

    V3.1: 6.1 MEDIUM

Created September 20, 2022 , Updated August 27, 2024