U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2023-53546 - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory pointed by 'in' is not released, which wi... read CVE-2023-53546
    Published: October 04, 2025; 12:15:49 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-68138 - EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the n... read CVE-2025-68138
    Published: January 21, 2026; 3:16:06 PM -0500

  • CVE-2025-68139 - EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. ... read CVE-2025-68139
    Published: January 21, 2026; 3:16:06 PM -0500

  • CVE-2025-68140 - EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been regist... read CVE-2025-68140
    Published: January 21, 2026; 3:16:06 PM -0500

  • CVE-2025-68141 - EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is ac... read CVE-2025-68141
    Published: January 21, 2026; 3:16:06 PM -0500

  • CVE-2026-23955 - EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected,... read CVE-2026-23955
    Published: January 21, 2026; 3:16:12 PM -0500

  • CVE-2025-68137 - EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining lengt... read CVE-2025-68137
    Published: January 21, 2026; 3:16:05 PM -0500

  • CVE-2025-68136 - EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and regi... read CVE-2025-68136
    Published: January 21, 2026; 3:16:05 PM -0500

  • CVE-2025-68135 - EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as ... read CVE-2025-68135
    Published: January 21, 2026; 2:16:04 PM -0500

  • CVE-2025-68134 - EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits... read CVE-2025-68134
    Published: January 21, 2026; 2:16:04 PM -0500

  • CVE-2025-68133 - EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-... read CVE-2025-68133
    Published: January 20, 2026; 10:15:45 PM -0500

  • CVE-2025-68132 - EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malforme... read CVE-2025-68132
    Published: January 21, 2026; 2:16:04 PM -0500

    V3.1: 4.6 MEDIUM

  • CVE-2026-22044 - GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
    Published: February 04, 2026; 1:16:08 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-22247 - GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
    Published: February 04, 2026; 1:16:08 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2026-23624 - GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another u... read CVE-2026-23624
    Published: February 04, 2026; 1:16:08 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2007-2774 - Multiple PHP remote file inclusion vulnerabilities in SunLight CMS 5.3 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter to (1) _connect.php or (2) modules/startup.php.
    Published: May 21, 2007; 7:30:00 PM -0400

    V2.0: 7.5 HIGH

  • CVE-2025-58381 - A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structu... read CVE-2025-58381
    Published: February 03, 2026; 1:15:52 AM -0500

    V3.1: 2.3 LOW

  • CVE-2025-58380 - A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command “grep” to modify the path variables and move upwards in the directory structure or to traverse to different direc... read CVE-2025-58380
    Published: February 03, 2026; 12:16:21 AM -0500

    V3.1: 2.3 LOW

  • CVE-2026-0383 - A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command.
    Published: February 02, 2026; 11:15:55 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-58383 - A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands.
    Published: February 02, 2026; 9:16:07 PM -0500

    V3.1: 7.2 HIGH

Created September 20, 2022 , Updated August 27, 2024