NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2026-30835 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error objec... read CVE-2026-30835
Published: March 06, 2026; 4:16:17 PM -0500

V3.1: 5.3 MEDIUM
CVE-2026-30851 - Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has b... read CVE-2026-30851
Published: March 07, 2026; 12:15:52 PM -0500

V3.1: 8.8 HIGH
CVE-2026-30852 - Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against ... read CVE-2026-30852
Published: March 07, 2026; 12:15:52 PM -0500

V3.1: 7.5 HIGH
CVE-2026-30229 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allo... read CVE-2026-30229
Published: March 06, 2026; 4:16:16 PM -0500

V3.1: 7.2 HIGH
CVE-2026-30228 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filenam... read CVE-2026-30228
Published: March 06, 2026; 4:16:16 PM -0500

V3.1: 4.9 MEDIUM
CVE-2026-28485 - OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or loca... read CVE-2026-28485
Published: March 05, 2026; 5:16:23 PM -0500

V3.1: 7.8 HIGH
CVE-2026-28486 - OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives tha... read CVE-2026-28486
Published: March 05, 2026; 5:16:23 PM -0500

V3.1: 5.5 MEDIUM
CVE-2026-29606 - OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attack... read CVE-2026-29606
Published: March 05, 2026; 5:16:23 PM -0500

V3.1: 6.5 MEDIUM
CVE-2026-29609 - OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by ser... read CVE-2026-29609
Published: March 05, 2026; 5:16:24 PM -0500
CVE-2026-29610 - OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers wi... read CVE-2026-29610
Published: March 05, 2026; 5:16:24 PM -0500

V3.1: 8.8 HIGH
CVE-2026-29611 - OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBub... read CVE-2026-29611
Published: March 05, 2026; 5:16:24 PM -0500

V3.1: 7.5 HIGH
CVE-2026-29612 - OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause... read CVE-2026-29612
Published: March 05, 2026; 5:16:24 PM -0500

V3.1: 7.5 HIGH
CVE-2026-29613 - OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of c... read CVE-2026-29613
Published: March 05, 2026; 5:16:24 PM -0500

V3.1: 5.9 MEDIUM
CVE-2018-25199 - OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inject SQL commands via the search parameter in se... read CVE-2018-25199
Published: March 06, 2026; 8:16:03 AM -0500

V3.1: 9.8 CRITICAL
CVE-2018-25200 - OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with para... read CVE-2018-25200
Published: March 06, 2026; 8:16:03 AM -0500

V3.1: 8.8 HIGH
CVE-2026-29064 - Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destina... read CVE-2026-29064
Published: March 06, 2026; 12:16:34 PM -0500
CVE-2026-29075 - Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privil... read CVE-2026-29075
Published: March 06, 2026; 12:16:34 PM -0500

V3.1: 9.8 CRITICAL
CVE-2026-29082 - Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html w... read CVE-2026-29082
Published: March 06, 2026; 12:16:34 PM -0500

V3.1: 5.4 MEDIUM
CVE-2025-69644 - An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdum... read CVE-2025-69644
Published: March 06, 2026; 1:16:16 PM -0500
CVE-2026-3665 - A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_consumer.cpp of the component XLSX File Parser. ... read CVE-2026-3665
Published: March 07, 2026; 11:15:56 AM -0500

V3.1: 5.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: