U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2010-20113 - EasyFTP Server 1.7.0.11 and earlier contains a stack-based buffer overflow vulnerability in its HTTP interface. When processing a GET request to list.html, the server fails to properly validate the length of the path parameter. Supplying an excess... read CVE-2010-20113
    Published: August 21, 2025; 5:15:33 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2010-20121 - EasyFTP Server versions up to 1.7.0.11 contain a stack-based buffer overflow vulnerability in the FTP command parser. When processing the CWD (Change Working Directory) command, the server fails to properly validate the length of the input string,... read CVE-2010-20121
    Published: August 21, 2025; 4:15:31 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-55522 - Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter.
    Published: August 21, 2025; 1:15:31 PM -0400

  • CVE-2025-55521 - An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial of Service (DoS) via a crafted POST request.
    Published: August 21, 2025; 1:15:31 PM -0400

  • CVE-2025-10028 - A vulnerability was identified in itsourcecode POS Point of Sale System 1.0. This affects an unknown part of the file /inventory/main/vendors/datatables/unit_testing/templates/6776.php. Such manipulation of the argument scripts leads to cross site... read CVE-2025-10028
    Published: September 06, 2025; 3:15:31 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-10029 - A security flaw has been discovered in itsourcecode POS Point of Sale System 1.0. This vulnerability affects unknown code of the file /inventory/main/vendors/datatables/unit_testing/templates/complex_header_2.php. Performing manipulation of the ar... read CVE-2025-10029
    Published: September 06, 2025; 5:15:36 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-10033 - A vulnerability has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown function of the file /admin. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploi... read CVE-2025-10033
    Published: September 06, 2025; 9:15:30 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-58445 - Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow a... read CVE-2025-58445
    Published: September 06, 2025; 4:15:30 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-10063 - A vulnerability was identified in itsourcecode POS Point of Sale System 1.0. This vulnerability affects unknown code of the file /inventory/main/vendors/datatables/unit_testing/templates/deferred_table.php. The manipulation of the argument scripts... read CVE-2025-10063
    Published: September 06, 2025; 7:15:31 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-10064 - A security flaw has been discovered in itsourcecode POS Point of Sale System 1.0. This issue affects some unknown processing of the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php. The manipulation of the ar... read CVE-2025-10064
    Published: September 06, 2025; 9:15:31 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-49005 - Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML con... read CVE-2025-49005
    Published: July 03, 2025; 5:15:26 PM -0400

  • CVE-2025-57808 - ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authoriza... read CVE-2025-57808
    Published: September 01, 2025; 9:15:29 PM -0400

  • CVE-2025-9784 - A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workloa... read CVE-2025-9784
    Published: September 02, 2025; 10:15:36 AM -0400

  • CVE-2024-51423 - Cross Site Scripting vulnerability in Infor Global HR GHR v.11.23.03.00.21 and before allows a remote attacker to execute arbitrary code via the class parameter.
    Published: September 02, 2025; 12:15:38 PM -0400

  • CVE-2025-54599 - The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create t... read CVE-2025-54599
    Published: September 02, 2025; 12:15:39 PM -0400

  • CVE-2025-57766 - Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session ... read CVE-2025-57766
    Published: September 08, 2025; 6:15:33 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-57815 - Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against br... read CVE-2025-57815
    Published: September 08, 2025; 6:15:33 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-57816 - Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limit... read CVE-2025-57816
    Published: September 08, 2025; 6:15:33 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-57817 - Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:c... read CVE-2025-57817
    Published: September 08, 2025; 6:15:33 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-57611 - An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the dump() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check the return v... read CVE-2025-57611
    Published: September 02, 2025; 12:15:39 PM -0400

Created September 20, 2022 , Updated August 27, 2024