U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-42865 - Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using ... read CVE-2026-42865
    Published: May 11, 2026; 2:16:36 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-8257 - A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. Th... read CVE-2026-8257
    Published: May 10, 2026; 10:16:27 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-41889 - pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be w... read CVE-2026-41889
    Published: May 08, 2026; 1:16:31 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-43436 - In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descr... read CVE-2026-43436
    Published: May 08, 2026; 11:16:55 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-43437 - In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s... read CVE-2026-43437
    Published: May 08, 2026; 11:16:56 AM -0400

  • CVE-2026-32147 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon... read CVE-2026-32147
    Published: April 21, 2026; 8:15:58 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-23247 - In the Linux kernel, the following vulnerability has been resolved: tcp: secure_seq: add back ports to TS offset This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets") tcp_tw_recycle went away in 2017. Zhouyan Deng r... read CVE-2026-23247
    Published: March 18, 2026; 7:16:16 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-31432 - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of t... read CVE-2026-31432
    Published: April 22, 2026; 5:16:21 AM -0400

  • CVE-2026-43438 - In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the r... read CVE-2026-43438
    Published: May 08, 2026; 11:16:56 AM -0400

  • CVE-2026-43439 - In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: ... read CVE-2026-43439
    Published: May 08, 2026; 11:16:56 AM -0400

    V3.1: 4.7 MEDIUM

  • CVE-2026-8602 - In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
    Published: May 19, 2026; 2:16:31 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-43440 - In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in ma... read CVE-2026-43440
    Published: May 08, 2026; 11:16:56 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-8603 - In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
    Published: May 19, 2026; 2:16:31 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-8604 - In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
    Published: May 19, 2026; 2:16:32 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-70040 - An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
    Published: March 09, 2026; 12:16:15 PM -0400

  • CVE-2026-43441 - In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits befo... read CVE-2026-43441
    Published: May 08, 2026; 11:16:56 AM -0400

  • CVE-2026-8605 - In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
    Published: May 19, 2026; 2:16:32 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-26738 - Buffer Overflow vulnerability in Uderzo Software SpaceSniffer v.2.0.5.18 allows a remote attacker to execute arbitrary code via a crafted .sns snapshot file.
    Published: March 10, 2026; 2:18:43 PM -0400

  • CVE-2026-43442 - In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE opera... read CVE-2026-43442
    Published: May 08, 2026; 11:16:56 AM -0400

  • CVE-2026-8564 - Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
    Published: May 14, 2026; 4:17:18 PM -0400

Created September 20, 2022 , Updated August 27, 2024