U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-60016 - When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and that profile is applied to a virtual server, undisclosed traffic can cause the Traffic Management... read CVE-2025-60016
    Published: October 15, 2025; 10:15:56 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-60015 - An out-of-bounds write vulnerability exists in F5OS-A and F5OS-C that could lead to memory corruption.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: October 15, 2025; 10:15:56 AM -0400

    V3.1: 5.7 MEDIUM

  • CVE-2025-60013 - When a user attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, the FIPS hardware security module (HSM) may fail to initialize.  Note: Software versions which have reached End of Technical Support (Eo... read CVE-2025-60013
    Published: October 15, 2025; 10:15:55 AM -0400

    V3.1: 6.7 MEDIUM

  • CVE-2025-59781 - When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in memory resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: October 15, 2025; 10:15:55 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-59778 - When the Allowed IP Addresses feature is configured on the F5OS-C partition control plane, undisclosed traffic can cause multiple containers to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not evalua... read CVE-2025-59778
    Published: October 15, 2025; 10:15:54 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-59478 - When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Techni... read CVE-2025-59478
    Published: October 15, 2025; 10:15:54 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-58474 - When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery (SSRF) protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests.  Note: Software... read CVE-2025-58474
    Published: October 15, 2025; 10:15:53 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-58424 - On BIG-IP systems, undisclosed traffic can cause data corruption and unauthorized data modification in protocols which do not have message integrity protection.  Note: Software versions which have reached End of Technical Support (EoTS) are not ev... read CVE-2025-58424
    Published: October 15, 2025; 10:15:52 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-58153 - Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.  Note: Software versions which have reached End of Technical Support (Eo... read CVE-2025-58153
    Published: October 15, 2025; 10:15:52 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-58120 - When HTTP/2 Ingress is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: October 15, 2025; 10:15:52 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-55670 - On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS... read CVE-2025-55670
    Published: October 15, 2025; 10:15:51 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2023-52892 - In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading t... read CVE-2023-52892
    Published: June 27, 2024; 6:15:10 PM -0400

  • CVE-2024-29038 - tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by `tpm2 checkquote`. This issue was patched in version 5.7.
    Published: June 28, 2024; 10:15:03 AM -0400

    V3.1: 3.3 LOW

  • CVE-2024-6424 - External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userNam... read CVE-2024-6424
    Published: July 01, 2024; 9:15:06 AM -0400

    V3.1: 8.2 HIGH

  • CVE-2024-6425 - Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can register user accounts without being authenticated from the route "/account/Register/" and in the parameters "UserN... read CVE-2024-6425
    Published: July 01, 2024; 9:15:06 AM -0400

  • CVE-2024-3232 - A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payload... read CVE-2024-3232
    Published: July 16, 2024; 1:15:11 PM -0400

    V3.1: 6.8 MEDIUM

  • CVE-2024-6436 - An input validation vulnerability exists in the Rockwell Automation Sequence Manager™ which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unrespo... read CVE-2024-6436
    Published: September 27, 2024; 4:15:06 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2024-9097 - ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.
    Published: February 05, 2025; 8:15:23 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2024-57408 - An arbitrary file upload vulnerability in the component /comm/upload of cool-admin-java v1.0 allows attackers to execute arbitrary code via uploading a crafted file.
    Published: February 10, 2025; 1:15:33 PM -0500

  • CVE-2025-5494 - ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.
    Published: September 25, 2025; 10:15:46 AM -0400

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated August 27, 2024