U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-0877 - Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
    Published: January 13, 2026; 9:16:38 AM -0500

  • CVE-2026-0881 - Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
    Published: January 13, 2026; 9:16:38 AM -0500

  • CVE-2026-0513 - Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This ... read CVE-2026-0513
    Published: January 12, 2026; 9:15:53 PM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2026-0506 - Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the at... read CVE-2026-0506
    Published: January 12, 2026; 9:15:53 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2026-0500 - Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a v... read CVE-2026-0500
    Published: January 12, 2026; 9:15:52 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-0882 - Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
    Published: January 13, 2026; 9:16:38 AM -0500

  • CVE-2025-29329 - Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request.
    Published: January 12, 2026; 5:16:07 PM -0500

  • CVE-2021-41074 - A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document.
    Published: January 12, 2026; 4:15:57 PM -0500

  • CVE-2026-0880 - Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
    Published: January 13, 2026; 9:16:38 AM -0500

  • CVE-2026-0498 - SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing es... read CVE-2026-0498
    Published: January 12, 2026; 9:15:52 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-0879 - Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
    Published: January 13, 2026; 9:16:38 AM -0500

  • CVE-2025-38694 - In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, form... read CVE-2025-38694
    Published: September 04, 2025; 12:15:37 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-38670 - In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call... read CVE-2025-38670
    Published: August 22, 2025; 12:15:42 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-38560 - In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state ... read CVE-2025-38560
    Published: August 19, 2025; 1:15:32 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-38540 - In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not a... read CVE-2025-38540
    Published: August 16, 2025; 8:15:29 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-38521 - In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix kernel crash when hard resetting the GPU The GPU hard reset sequence calls pm_runtime_force_suspend() and pm_runtime_force_resume(), which according to thei... read CVE-2025-38521
    Published: August 16, 2025; 7:15:45 AM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-38514 - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() w... read CVE-2025-38514
    Published: August 16, 2025; 7:15:44 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-38503 - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTR... read CVE-2025-38503
    Published: August 16, 2025; 7:15:42 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2022-49509 - In the Linux kernel, the following vulnerability has been resolved: media: i2c: max9286: fix kernel oops when removing module When removing the max9286 module we get a kernel oops: Unable to handle kernel paging request at virtual address 00000... read CVE-2022-49509
    Published: February 26, 2025; 2:01:27 AM -0500

    V3.1: 7.1 HIGH

  • CVE-2024-50394 - An improper certificate validation vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following... read CVE-2024-50394
    Published: March 07, 2025; 12:15:19 PM -0500

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024