U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
The letters N V D typed out in binary
New 2.0 APIs
Emphasis on APIs for web automation
2022-23 Change Timeline
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2023-24022 - Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored ... read CVE-2023-24022
    Published: January 26, 2023; 4:18:15 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2023-24427 - Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.
    Published: January 26, 2023; 4:18:16 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2023-24422 - A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protectio... read CVE-2023-24422
    Published: January 26, 2023; 4:18:16 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-48070 - Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
    Published: January 27, 2023; 10:15:10 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2023-24440 - Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2023-24439 - Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2022-48071 - Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.
    Published: January 27, 2023; 10:15:10 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2023-24438 - A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anot... read CVE-2023-24438
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2023-24429 - Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to h... read CVE-2023-24429
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2023-24428 - A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 5.7 MEDIUM

  • CVE-2022-48072 - Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
    Published: January 27, 2023; 10:15:10 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2022-48010 - LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web ... read CVE-2022-48010
    Published: January 27, 2023; 1:15:15 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-24430 - Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
    Published: January 26, 2023; 4:18:17 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-48008 - An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.
    Published: January 27, 2023; 1:15:15 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-48073 - Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.
    Published: January 27, 2023; 10:15:10 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2023-0533 - A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. Affected by this issue is some unknown functionality of the file admin/expense_report.php. The manipulation of the ar... read CVE-2023-0533
    Published: January 27, 2023; 6:15:13 AM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2023-0563 - A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to... read CVE-2023-0563
    Published: January 28, 2023; 6:15:08 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-48007 - A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
    Published: January 27, 2023; 1:15:14 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-0531 - A vulnerability classified as critical has been found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file admin/booking_report.php. The manipulation of the argument to_date leads to sql injec... read CVE-2023-0531
    Published: January 27, 2023; 6:15:13 AM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2023-0534 - A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. This affects an unknown part of the file admin/expense_report.php. The manipulation of the argument to_date leads to sql i... read CVE-2023-0534
    Published: January 27, 2023; 6:15:14 AM -0500

    V3.1: 4.7 MEDIUM