U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

The letters N V D typed out in binary
New 2.0 APIs
Emphasis on APIs for web automation
Change Timeline
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-38373 - FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response ... read CVE-2024-38373
    Published: June 24, 2024; 1:15:10 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2024-38369 - XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the... read CVE-2024-38369
    Published: June 24, 2024; 1:15:10 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-33881 - An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter.
    Published: June 24, 2024; 1:15:10 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-33880 - An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. It discloses full pathnames via Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive.
    Published: June 24, 2024; 1:15:10 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-33879 - An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal in the p... read CVE-2024-33879
    Published: June 24, 2024; 1:15:10 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-6287 - Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. When checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attack... read CVE-2024-6287
    Published: June 24, 2024; 12:15:11 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-6285 - Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware. An integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses.
    Published: June 24, 2024; 12:15:10 PM -0400

    V3.1: 6.7 MEDIUM

  • CVE-2024-33687 - Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration.
    Published: June 24, 2024; 11:15:11 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-4748 - The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.  The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project runni... read CVE-2024-4748
    Published: June 24, 2024; 10:15:13 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-39292 - In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If th... read CVE-2024-39292
    Published: June 24, 2024; 10:15:12 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2024-39291 - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode() The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating about potential ... read CVE-2024-39291
    Published: June 24, 2024; 10:15:12 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-38667 - In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of ... read CVE-2024-38667
    Published: June 24, 2024; 10:15:12 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-38664 - In the Linux kernel, the following vulnerability has been resolved: drm: zynqmp_dpsub: Always register bridge We must always register the DRM bridge, since zynqmp_dp_hpd_work_func calls drm_bridge_hpd_notify, which in turn expects hpd_mutex to b... read CVE-2024-38664
    Published: June 24, 2024; 10:15:12 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-30072 - Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
    Published: June 11, 2024; 1:15:53 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-30070 - DHCP Server Service Denial of Service Vulnerability
    Published: June 11, 2024; 1:15:53 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-30069 - Windows Remote Access Connection Manager Information Disclosure Vulnerability
    Published: June 11, 2024; 1:15:53 PM -0400

    V3.1: 4.7 MEDIUM

  • CVE-2024-30075 - Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
    Published: June 11, 2024; 1:15:54 PM -0400

    V3.1: 8.0 HIGH

  • CVE-2024-30074 - Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
    Published: June 11, 2024; 1:15:54 PM -0400

    V3.1: 8.0 HIGH

  • CVE-2024-30068 - Windows Kernel Elevation of Privilege Vulnerability
    Published: June 11, 2024; 1:15:53 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-6120 - The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for auth... read CVE-2024-6120
    Published: June 21, 2024; 8:15:09 PM -0400

    V3.1: 6.5 MEDIUM

Created September 20, 2022 , Updated May 29, 2024