NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2025-15583 - A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit ... read CVE-2025-15583
Published: February 20, 2026; 12:25:09 PM -0500

V3.1: 5.4 MEDIUM
CVE-2025-15582 - A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remot... read CVE-2025-15582
Published: February 20, 2026; 12:25:09 PM -0500

V3.1: 8.1 HIGH
CVE-2026-2861 - A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit... read CVE-2026-2861
Published: February 21, 2026; 1:17:01 AM -0500

V3.1: 5.3 MEDIUM
CVE-2025-70328 - TOTOLINK X6000R v9.4.0cu.1498_B20250826 contains an OS command injection vulnerability in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The host_time parameter is retrieved via sub_40C404 and passed to a date -s shell command thr... read CVE-2025-70328
Published: February 23, 2026; 4:19:09 PM -0500

V3.1: 8.8 HIGH
CVE-2025-70327 - TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem ... read CVE-2025-70327
Published: February 23, 2026; 4:19:09 PM -0500

V3.1: 9.8 CRITICAL
CVE-2026-3028 - A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site... read CVE-2026-3028
Published: February 23, 2026; 5:16:25 PM -0500

V3.1: 6.1 MEDIUM
CVE-2026-27742 - Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An ... read CVE-2026-27742
Published: February 23, 2026; 5:16:25 PM -0500

V3.1: 5.4 MEDIUM
CVE-2026-27741 - Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms... read CVE-2026-27741
Published: February 23, 2026; 5:16:25 PM -0500

V3.1: 4.3 MEDIUM
CVE-2025-15563 - Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
Published: February 19, 2026; 6:15:56 AM -0500
CVE-2026-24443 - EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password befo... read CVE-2026-24443
Published: February 24, 2026; 4:16:29 PM -0500

V3.1: 8.8 HIGH
CVE-2025-15560 - An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. ... read CVE-2025-15560
Published: February 19, 2026; 6:15:56 AM -0500
CVE-2025-15561 - An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe direc... read CVE-2025-15561
Published: February 19, 2026; 6:15:56 AM -0500
CVE-2025-15562 - The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL pr... read CVE-2025-15562
Published: February 19, 2026; 6:15:56 AM -0500
CVE-2026-25738 - Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in variou... read CVE-2026-25738
Published: February 19, 2026; 11:27:15 AM -0500

V3.1: 4.3 MEDIUM
CVE-2026-25739 - Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade t... read CVE-2026-25739
Published: February 19, 2026; 11:27:15 AM -0500
CVE-2026-26057 - Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact wi... read CVE-2026-26057
Published: February 19, 2026; 2:22:29 PM -0500

V3.1: 9.1 CRITICAL
CVE-2026-26189 - Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when ex... read CVE-2026-26189
Published: February 19, 2026; 3:25:42 PM -0500

V3.1: 8.1 HIGH
CVE-2026-26201 - emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concur... read CVE-2026-26201
Published: February 19, 2026; 3:25:42 PM -0500

V3.1: 7.5 HIGH
CVE-2026-26744 - A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthen... read CVE-2026-26744
Published: February 19, 2026; 5:16:47 PM -0500
CVE-2026-1658 - User Interface (UI) Misrepresentation of Critical Information vulnerability in OpenText™ Directory Services allows Cache Poisoning. The vulnerability could be exploited by a bad actor to inject manipulated text into the OpenText application, pot... read CVE-2026-1658
Published: February 19, 2026; 6:16:15 PM -0500

V3.1: 5.3 MEDIUM

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: