U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-35615 - PraisonAI is a multi-agent teams system. Prior to 1.5.113, _validate_path() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes. This makes the ch... read CVE-2026-35615
    Published: April 07, 2026; 1:16:35 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-39305 - PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker (or compromised agent) to write to arbitrary files outside of the configured workspace direc... read CVE-2026-39305
    Published: April 07, 2026; 1:16:36 PM -0400

    V3.1: 10.0 CRITICAL

  • CVE-2026-39306 - PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall() and does not validate archive member paths before extraction. A malicious pub... read CVE-2026-39306
    Published: April 07, 2026; 1:16:36 PM -0400

  • CVE-2026-39307 - PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHu... read CVE-2026-39307
    Published: April 07, 2026; 1:16:36 PM -0400

  • CVE-2026-39308 - PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name ... read CVE-2026-39308
    Published: April 07, 2026; 1:16:36 PM -0400

  • CVE-2026-5208 - Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names
    Published: April 08, 2026; 8:16:22 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-5300 - Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
    Published: April 08, 2026; 9:16:43 AM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-5301 - Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4.0.0 allows unauthenticated attackers to take over the service via malicious JavaScript in poisoned log entries
    Published: April 08, 2026; 9:16:43 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-5302 - CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
    Published: April 08, 2026; 9:16:43 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-39389 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
    Published: April 08, 2026; 11:16:13 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-39391 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored ... read CVE-2026-39391
    Published: April 08, 2026; 11:16:13 AM -0400

  • CVE-2026-39392 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields duri... read CVE-2026-39392
    Published: April 08, 2026; 11:16:14 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2026-39393 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('setti... read CVE-2026-39393
    Published: April 08, 2026; 11:16:14 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-39394 - CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation a... read CVE-2026-39394
    Published: April 08, 2026; 11:16:14 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-39837 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
    Published: April 07, 2026; 4:16:33 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-39839 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
    Published: April 07, 2026; 4:16:33 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-39840 - Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects Mediawiki - Cargo Extension: before ... read CVE-2026-39840
    Published: April 07, 2026; 4:16:33 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-39841 - Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
    Published: April 07, 2026; 4:16:34 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-33439 - Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter... read CVE-2026-33439
    Published: April 07, 2026; 5:17:17 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-34045 - Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sens... read CVE-2026-34045
    Published: April 07, 2026; 5:17:17 PM -0400

    V3.1: 9.1 CRITICAL

Created September 20, 2022 , Updated August 27, 2024