U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-61413 - A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.
    Published: October 23, 2025; 2:16:23 PM -0400

  • CVE-2025-62236 - The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.
    Published: October 23, 2025; 4:15:40 PM -0400

  • CVE-2025-59500 - Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
    Published: October 23, 2025; 6:15:48 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-59503 - Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.
    Published: October 23, 2025; 6:15:48 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-62726 - n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository... read CVE-2025-62726
    Published: October 30, 2025; 1:15:39 PM -0400

  • CVE-2024-25621 - containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/... read CVE-2024-25621
    Published: November 06, 2025; 2:15:40 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-63408 - Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands.
    Published: November 18, 2025; 11:15:45 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-63602 - A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. This is due to the implementation of an insecure version of WinRing0 (1.2.0.5, rena... read CVE-2025-63602
    Published: November 18, 2025; 11:15:45 AM -0500

  • CVE-2025-63604 - A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. The vulnerability stems from the exposure of dangerous Py... read CVE-2025-63604
    Published: November 18, 2025; 11:15:46 AM -0500

  • CVE-2025-34324 - GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying ... read CVE-2025-34324
    Published: November 18, 2025; 12:16:00 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2025-63829 - eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function.
    Published: November 18, 2025; 12:16:12 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-56643 - Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session int... read CVE-2025-56643
    Published: November 18, 2025; 1:16:07 PM -0500

  • CVE-2025-63994 - An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file.
    Published: November 18, 2025; 1:16:14 PM -0500

  • CVE-2025-64076 - Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variabl... read CVE-2025-64076
    Published: November 18, 2025; 1:16:14 PM -0500

  • CVE-2024-38963 - Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.
    Published: July 09, 2024; 6:15:02 PM -0400

  • CVE-2024-8914 - The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_htm... read CVE-2024-8914
    Published: September 24, 2024; 9:15:47 PM -0400

  • CVE-2025-10979 - A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has ... read CVE-2025-10979
    Published: September 25, 2025; 7:15:48 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-10707 - A weakness has been identified in JeecgBoot up to 3.8.2. Affected is an unknown function of the file /message/sysMessageTemplate/sendMsg. Executing manipulation can lead to improper authorization. The attack may be launched remotely. The exploit h... read CVE-2025-10707
    Published: September 19, 2025; 8:15:34 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-10319 - A security flaw has been discovered in JeecgBoot up to 3.8.2. Affected by this issue is some unknown functionality of the file /sys/tenant/exportLog of the component Tenant Log Export. The manipulation results in improper authorization. The attack... read CVE-2025-10319
    Published: September 12, 2025; 11:15:32 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-10318 - A vulnerability was identified in JeecgBoot up to 3.8.2. Affected by this vulnerability is an unknown functionality of the file /api/system/sendWebSocketMsg of the component WebSocket Message Handler. The manipulation of the argument userIds leads... read CVE-2025-10318
    Published: September 12, 2025; 9:15:31 AM -0400

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024