U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-21537 - Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network.
    Published: February 10, 2026; 1:16:35 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-21528 - Binding to an unrestricted ip address in Azure IoT SDK allows an unauthorized attacker to disclose information over a network.
    Published: February 10, 2026; 1:16:35 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-21527 - User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
    Published: February 10, 2026; 1:16:35 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-21523 - Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.
    Published: February 10, 2026; 1:16:34 PM -0500

    V3.1: 8.0 HIGH

  • CVE-2026-21516 - Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.
    Published: February 10, 2026; 1:16:33 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-3722 - A path traversal vulnerability in System Information Reporter (SIR) 1.0.3 and prior allowed an authenticated high privileged user to issue malicious ePO post requests to System Information Reporter, leading to creation of files anywhere on the ... read CVE-2025-3722
    Published: June 26, 2025; 7:15:26 AM -0400

    V3.1: 4.4 MEDIUM

  • CVE-2025-3771 - A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially cause a system crash. This was achieved by addin... read CVE-2025-3771
    Published: June 26, 2025; 7:15:29 AM -0400

    V3.1: 7.1 HIGH

  • CVE-2026-21512 - Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.
    Published: February 10, 2026; 1:16:33 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-3773 - A sensitive information exposure vulnerability in System Information Reporter (SIR) 1.0.3 and prior allows an authenticated non-admin local user to extract sensitive information stored in a registry backup folder.
    Published: June 26, 2025; 8:15:21 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-39474 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Amely allows SQL Injection. This issue affects Amely: from n/a through 3.1.4.
    Published: June 27, 2025; 8:15:36 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-27021 - The misconfiguration in the sudoers configuration of the operating system in Infinera G42 version R6.1.3 allows low privileged OS users to read/write physical memory via devmem command line tool. This could allow sensitive information disclosu... read CVE-2025-27021
    Published: July 02, 2025; 5:15:25 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-21256 - Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
    Published: February 10, 2026; 1:16:27 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-21518 - Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.
    Published: February 10, 2026; 1:16:34 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-27022 - A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows a... read CVE-2025-27022
    Published: July 02, 2025; 5:15:25 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-27023 - Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance en... read CVE-2025-27023
    Published: July 02, 2025; 6:15:22 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-27024 - Unrestricted access to OS file system in SFTP service in Infinera G42 version R6.1.3 allows remote authenticated users to read/write OS files via SFTP connections. Details: Account members of the Network Administrator profile can access the t... read CVE-2025-27024
    Published: July 02, 2025; 6:15:22 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-27026 - A missing double-check feature in the WebGUI for CLI deactivation in Infinera G42 version R6.1.3 allows an authenticated administrator to make other management interfaces unavailable via local and network interfaces. The CLI deactivation via the... read CVE-2025-27026
    Published: July 02, 2025; 10:15:23 AM -0400

  • CVE-2025-52868 - A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the foll... read CVE-2025-52868
    Published: February 11, 2026; 8:15:53 AM -0500

    V3.1: 8.1 HIGH

  • CVE-2026-21222 - Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
    Published: February 10, 2026; 1:16:23 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2025-48725 - A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the ... read CVE-2025-48725
    Published: February 11, 2026; 8:15:52 AM -0500

    V3.1: 8.1 HIGH

Created September 20, 2022 , Updated August 27, 2024