U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-22252 - LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container throu... read CVE-2026-22252
    Published: January 12, 2026; 2:16:03 PM -0500

    V3.1: 9.9 CRITICAL

  • CVE-2026-22776 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding... read CVE-2026-22776
    Published: January 12, 2026; 2:16:03 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-14021 - LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize mul... read CVE-2024-14021
    Published: January 12, 2026; 6:15:51 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-0821 - A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launche... read CVE-2026-0821
    Published: January 10, 2026; 8:15:49 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-50906 - e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files... read CVE-2022-50906
    Published: January 13, 2026; 6:15:53 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2022-50907 - e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the uplo... read CVE-2022-50907
    Published: January 13, 2026; 6:15:53 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2022-50916 - e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL... read CVE-2022-50916
    Published: January 13, 2026; 6:15:55 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-15472 - A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL  of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remo... read CVE-2025-15472
    Published: January 07, 2026; 7:16:59 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-65015 - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedde... read CVE-2025-65015
    Published: November 18, 2025; 6:15:56 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-63209 - The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin cred... read CVE-2025-63209
    Published: November 19, 2025; 1:15:49 PM -0500

  • CVE-2025-64325 - Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the adm... read CVE-2025-64325
    Published: November 18, 2025; 6:15:55 PM -0500

    V3.1: 9.0 CRITICAL

  • CVE-2025-63217 - The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any othe... read CVE-2025-63217
    Published: November 18, 2025; 5:15:51 PM -0500

  • CVE-2025-65037 - Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
    Published: December 18, 2025; 5:16:01 PM -0500

  • CVE-2025-63216 - The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any ... read CVE-2025-63216
    Published: November 18, 2025; 5:15:51 PM -0500

  • CVE-2025-63208 - An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint.
    Published: November 19, 2025; 1:15:48 PM -0500

  • CVE-2025-63215 - The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary comm... read CVE-2025-63215
    Published: November 18, 2025; 5:15:51 PM -0500

  • CVE-2026-0671 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard exte... read CVE-2026-0671
    Published: January 08, 2026; 12:15:50 PM -0500

  • CVE-2026-21898 - CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version... read CVE-2026-21898
    Published: January 09, 2026; 8:16:17 PM -0500

  • CVE-2026-21897 - CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version... read CVE-2026-21897
    Published: January 09, 2026; 8:16:17 PM -0500

  • CVE-2025-61550 - Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and lat... read CVE-2025-61550
    Published: January 08, 2026; 12:15:48 PM -0500

Created September 20, 2022 , Updated August 27, 2024