U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-5987 - A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs becau... read CVE-2025-5987
    Published: July 07, 2025; 11:15:28 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2025-63435 - Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthent... read CVE-2025-63435
    Published: November 24, 2025; 12:16:08 PM -0500

  • CVE-2025-63434 - The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check... read CVE-2025-63434
    Published: November 24, 2025; 12:16:08 PM -0500

  • CVE-2025-63433 - Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept networ... read CVE-2025-63433
    Published: November 24, 2025; 12:16:07 PM -0500

  • CVE-2025-63432 - Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerabil... read CVE-2025-63432
    Published: November 24, 2025; 12:16:07 PM -0500

  • CVE-2025-13265 - A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes pat... read CVE-2025-13265
    Published: November 17, 2025; 1:15:43 AM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2025-34245 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leadi... read CVE-2025-34245
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2018-11802 - In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant n... read CVE-2018-11802
    Published: April 01, 2020; 6:15:15 PM -0400

    V3.1: 4.3 MEDIUM
     V2.0: 4.0 MEDIUM

  • CVE-2018-25120 - D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' an... read CVE-2018-25120
    Published: October 29, 2025; 3:15:36 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-50596 - D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with ro... read CVE-2022-50596
    Published: November 06, 2025; 3:15:40 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-34247 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disc... read CVE-2025-34247
    Published: November 06, 2025; 3:15:49 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-34246 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to d... read CVE-2025-34246
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2023-5844 - Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
    Published: October 30, 2023; 7:15:39 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-34244 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leadi... read CVE-2025-34244
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-34243 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, lead... read CVE-2025-34243
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-34242 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclos... read CVE-2025-34242
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-34241 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to di... read CVE-2025-34241
    Published: November 06, 2025; 3:15:48 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-34240 - Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to... read CVE-2025-34240
    Published: November 06, 2025; 3:15:47 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-53015 - Memory corruption while processing IOCTL command to handle buffers associated with a session.
    Published: June 03, 2025; 2:15:24 AM -0400

    V3.1: 6.6 MEDIUM

  • CVE-2024-53010 - Memory corruption may occur while attaching VM when the HLOS retains access to VM.
    Published: June 03, 2025; 2:15:23 AM -0400

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated August 27, 2024