U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-22769 - Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exp... read CVE-2026-22769
    Published: February 17, 2026; 3:22:09 PM -0500

    V3.1: 10.0 CRITICAL

  • CVE-2025-70981 - CordysCRM 1.4.1 is vulnerable to SQL Injection in the employee list query interface (/user/list) via the departmentIds parameter.
    Published: February 12, 2026; 1:16:08 PM -0500

  • CVE-2025-70314 - webfsd 1.21 is vulnerable to a Buffer Overflow via a crafted request. This is due to the filename variable
    Published: February 12, 2026; 3:16:03 PM -0500

  • CVE-2024-43178 - IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
    Published: February 17, 2026; 2:21:53 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-36018 - IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
    Published: February 17, 2026; 2:21:54 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-36019 - IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially ... read CVE-2025-36019
    Published: February 17, 2026; 2:21:54 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-2530 - A weakness has been identified in Wavlink WL-WN579A3 up to 20210219. This affects the function AddMac of the file /cgi-bin/wireless.cgi. This manipulation of the argument macAddr causes command injection. The attack is possible to be carried out r... read CVE-2026-2530
    Published: February 15, 2026; 11:15:51 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-2521 - A weakness has been identified in Open5GS up to 2.7.6. This issue affects the function sgwc_s5c_handle_create_session_response of the component SGW-C. Executing a manipulation can lead to memory corruption. The attack may be performed from remote.... read CVE-2026-2521
    Published: February 15, 2026; 6:16:05 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-2565 - A weakness has been identified in Wavlink WL-NU516U1 20251208. Affected by this issue is the function sub_40785C of the file /cgi-bin/adm.cgi. This manipulation of the argument time_zone causes stack-based buffer overflow. The attack can be initia... read CVE-2026-2565
    Published: February 16, 2026; 12:18:09 PM -0500

    V3.1: 6.6 MEDIUM

  • CVE-2026-2522 - A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is an unknown function of the file /src/mme/esm-build.c of the component MME. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. ... read CVE-2026-2522
    Published: February 15, 2026; 7:16:07 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-66029 - Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record... read CVE-2025-66029
    Published: December 17, 2025; 6:16:04 PM -0500

  • CVE-2026-2567 - A vulnerability was detected in Wavlink WL-NU516U1 20251208. This vulnerability affects the function sub_401218 of the file /cgi-bin/nas.cgi. Performing a manipulation of the argument User1Passwd results in stack-based buffer overflow. The attack ... read CVE-2026-2567
    Published: February 16, 2026; 1:19:45 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-25759 - Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that execu... read CVE-2026-25759
    Published: February 11, 2026; 4:16:19 PM -0500

  • CVE-2020-37158 - AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user'... read CVE-2020-37158
    Published: February 11, 2026; 4:16:08 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2020-37172 - AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user'... read CVE-2020-37172
    Published: February 11, 2026; 4:16:09 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2020-37173 - AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash,... read CVE-2020-37173
    Published: February 11, 2026; 4:16:10 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-2615 - A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del_flag can lead to command injection. The attack... read CVE-2026-2615
    Published: February 17, 2026; 8:16:17 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-25633 - Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission t... read CVE-2026-25633
    Published: February 11, 2026; 4:16:18 PM -0500

  • CVE-2026-23857 - Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerabilit... read CVE-2026-23857
    Published: February 11, 2026; 10:15:47 PM -0500

  • CVE-2025-13867 - IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic
    Published: February 17, 2026; 1:20:28 PM -0500

    V3.1: 6.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024