NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2026-28786 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigge... read CVE-2026-28786
Published: March 26, 2026; 8:16:22 PM -0400
CVE-2026-33628 - Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are... read CVE-2026-33628
Published: March 26, 2026; 5:17:07 PM -0400
CVE-2026-33757 - OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to star... read CVE-2026-33757
Published: March 27, 2026; 11:16:57 AM -0400

V3.1: 8.3 HIGH
CVE-2026-33758 - OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the ... read CVE-2026-33758
Published: March 27, 2026; 11:16:57 AM -0400

V3.1: 6.1 MEDIUM
CVE-2026-30527 - A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category N... read CVE-2026-30527
Published: March 27, 2026; 12:16:23 PM -0400

V3.1: 5.4 MEDIUM
CVE-2026-30529 - A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This a... read CVE-2026-30529
Published: March 27, 2026; 12:16:23 PM -0400
CVE-2026-30569 - A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the inp... read CVE-2026-30569
Published: March 27, 2026; 1:16:28 PM -0400

V3.1: 6.1 MEDIUM
CVE-2026-30570 - A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arb... read CVE-2026-30570
Published: March 27, 2026; 1:16:28 PM -0400

V3.1: 6.1 MEDIUM
CVE-2026-30571 - A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject ... read CVE-2026-30571
Published: March 27, 2026; 1:16:28 PM -0400

V3.1: 6.1 MEDIUM
CVE-2026-30567 - A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject a... read CVE-2026-30567
Published: March 27, 2026; 2:16:05 PM -0400

V3.1: 6.1 MEDIUM
CVE-2026-30568 - A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inje... read CVE-2026-30568
Published: March 27, 2026; 2:16:05 PM -0400
CVE-2026-27309 - Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim ... read CVE-2026-27309
Published: March 27, 2026; 6:16:20 PM -0400

V3.1: 7.8 HIGH
CVE-2026-4988 - A security flaw has been discovered in Open5GS 2.7.6. This issue affects the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b of the component CCA Message Handler. The manipulation results in denial of service. The attack may be launched remotely. Att... read CVE-2026-4988
Published: March 27, 2026; 6:16:23 PM -0400

V3.1: 5.9 MEDIUM
CVE-2026-32978 - OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite re... read CVE-2026-32978
Published: March 29, 2026; 9:17:01 AM -0400

V3.1: 7.5 HIGH
CVE-2026-32975 - OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups t... read CVE-2026-32975
Published: March 29, 2026; 9:17:01 AM -0400

V3.1: 9.8 CRITICAL
CVE-2026-32974 - OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forge... read CVE-2026-32974
Published: March 29, 2026; 9:17:01 AM -0400

V3.1: 9.8 CRITICAL
CVE-2026-33669 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.... read CVE-2026-33669
Published: March 26, 2026; 6:16:29 PM -0400

V3.1: 7.5 HIGH
CVE-2026-32973 - OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard mat... read CVE-2026-32973
Published: March 29, 2026; 9:17:01 AM -0400

V3.1: 9.8 CRITICAL
CVE-2026-33742 - Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sani... read CVE-2026-33742
Published: March 26, 2026; 5:17:08 PM -0400
CVE-2026-33670 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.
Published: March 26, 2026; 6:16:30 PM -0400

V3.1: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: