U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-32959 - Improper Privilege Management vulnerability in Sirv allows Privilege Escalation.This issue affects Sirv: from n/a through 7.2.2.
    Published: May 17, 2024; 6:15:12 AM -0400

  • CVE-2024-1544 - Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor ... read CVE-2024-1544
    Published: August 27, 2024; 3:15:16 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2024-5814 - A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the ... read CVE-2024-5814
    Published: August 27, 2024; 3:15:17 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-34671 - Use of implicit intent for sensitive communication in translation혻in Samsung Internet prior to version 26.0.3.1 allows local attackers to get sensitive information. User interaction is required for triggering this vulnerability.
    Published: October 08, 2024; 3:15:05 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-22399 - Dell UCC Edge, version 2.3.0, contains a Blind SSRF on Add Customer SFTP Server vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Server-side request forgery
    Published: February 11, 2025; 12:15:34 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-21103 - Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an improper neutralization of server-side vulnerability. An unauthenticated attacker with local access could potentially exploit this vu... read CVE-2025-21103
    Published: February 17, 2025; 9:15:08 AM -0500

  • CVE-2024-53696 - A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data. We have already fixed the vul... read CVE-2024-53696
    Published: March 07, 2025; 12:15:20 PM -0500

    V3.1: 4.9 MEDIUM

  • CVE-2025-13785 - A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosu... read CVE-2025-13785
    Published: November 30, 2025; 3:15:45 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-13784 - A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. ... read CVE-2025-13784
    Published: November 30, 2025; 2:15:44 AM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2025-66031 - Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 str... read CVE-2025-66031
    Published: November 26, 2025; 6:15:49 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-66030 - Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures con... read CVE-2025-66030
    Published: November 26, 2025; 6:15:49 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2025-63229 - The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an at... read CVE-2025-63229
    Published: November 18, 2025; 5:15:51 PM -0500

  • CVE-2025-60854 - A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd.
    Published: December 02, 2025; 1:15:48 PM -0500

  • CVE-2025-13492 - A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages.
    Published: December 03, 2025; 12:15:49 PM -0500

    V3.1: 7.0 HIGH

  • CVE-2025-12819 - Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
    Published: December 03, 2025; 2:15:55 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2025-41079 - A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/use... read CVE-2025-41079
    Published: December 04, 2025; 7:16:20 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-41080 - A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos... read CVE-2025-41080
    Published: December 04, 2025; 7:16:22 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-65403 - A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
    Published: December 01, 2025; 11:15:57 AM -0500

  • CVE-2023-32969 - A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerabil... read CVE-2023-32969
    Published: March 08, 2024; 12:15:21 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2024-45538 - Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary ... read CVE-2024-45538
    Published: December 04, 2025; 10:15:54 AM -0500

    V3.1: 9.6 CRITICAL

Created September 20, 2022 , Updated August 27, 2024