U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-51742 - An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE vi... read CVE-2025-51742
    Published: November 25, 2025; 3:15:59 PM -0500

  • CVE-2025-9624 - A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0.
    Published: November 25, 2025; 3:16:01 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-51743 - An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.
    Published: November 25, 2025; 4:15:55 PM -0500

  • CVE-2025-51744 - An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.
    Published: November 25, 2025; 4:15:56 PM -0500

  • CVE-2025-51745 - An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.
    Published: November 25, 2025; 4:15:56 PM -0500

  • CVE-2025-51746 - An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
    Published: November 25, 2025; 4:15:56 PM -0500

  • CVE-2025-8045 - Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.T... read CVE-2025-8045
    Published: December 01, 2025; 6:15:48 AM -0500

  • CVE-2025-6349 - Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed m... read CVE-2025-6349
    Published: December 01, 2025; 6:15:48 AM -0500

  • CVE-2025-2879 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operati... read CVE-2025-2879
    Published: December 01, 2025; 6:15:46 AM -0500

  • CVE-2025-58360 - GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a ... read CVE-2025-58360
    Published: November 25, 2025; 4:15:56 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-59789 - Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to par... read CVE-2025-59789
    Published: December 01, 2025; 6:15:48 AM -0500

  • CVE-2025-59454 - In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized user... read CVE-2025-59454
    Published: November 27, 2025; 7:15:47 AM -0500

  • CVE-2025-59302 - In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector ... read CVE-2025-59302
    Published: November 27, 2025; 7:15:47 AM -0500

  • CVE-2025-54074 - Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can se... read CVE-2025-54074
    Published: August 13, 2025; 10:15:31 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-54063 - Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious... read CVE-2025-54063
    Published: August 11, 2025; 2:15:33 PM -0400

    V3.1: 9.6 CRITICAL

  • CVE-2025-13223 - Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Published: November 17, 2025; 6:15:45 PM -0500

  • CVE-2025-13547 - A flaw has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This affects an unknown part of the file /boafrm/formDdns. This manipulation of the argument submit-url causes memory corruption. The attack may be initiated remotel... read CVE-2025-13547
    Published: November 23, 2025; 6:15:45 AM -0500

  • CVE-2025-13549 - A vulnerability was found in D-Link DIR-822K 1.00. This issue affects the function sub_455524 of the file /boafrm/formNtp. Performing manipulation of the argument submit-url results in buffer overflow. Remote exploitation of the attack is possible... read CVE-2025-13549
    Published: November 23, 2025; 7:15:46 AM -0500

  • CVE-2025-13548 - A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The atta... read CVE-2025-13548
    Published: November 23, 2025; 7:15:45 AM -0500

  • CVE-2025-13550 - A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Impacted is an unknown function of the file /boafrm/formVpnConfigSetup. Executing manipulation of the argument submit-url can lead to buffer overflow. The a... read CVE-2025-13550
    Published: November 23, 2025; 8:15:46 AM -0500

Created September 20, 2022 , Updated August 27, 2024