U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-55342 - A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the ... read CVE-2024-55342
    Published: December 20, 2024; 2:15:08 PM -0500

  • CVE-2020-22540 - Stored Cross-Site Scripting (XSS) vulnerability in Codoforum v4.9, allows attackers to execute arbitrary code and obtain sensitive information via crafted payload to Category name component.
    Published: April 15, 2024; 7:15:06 PM -0400

  • CVE-2024-32505 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wpmet Elements kit Elementor addons allows Stored XSS.This issue affects Elements kit Elementor addons: from n/a through 3.0.6.
    Published: April 17, 2024; 6:15:10 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-32161 - jizhiCMS 2.5 suffers from a File upload vulnerability.
    Published: April 17, 2024; 2:15:16 PM -0400

  • CVE-2024-4854 - MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file
    Published: May 14, 2024; 11:45:18 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-34220 - Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the 'leave' parameter.
    Published: May 14, 2024; 11:38:35 AM -0400

  • CVE-2024-34221 - Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation.
    Published: May 14, 2024; 11:38:36 AM -0400

  • CVE-2024-34222 - Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the searccountry parameter.
    Published: May 14, 2024; 11:38:36 AM -0400

  • CVE-2024-34223 - Insecure permission vulnerability in /hrm/leaverequest.php in SourceCodester Human Resource Management System 1.0 allow attackers to approve or reject leave ticket.
    Published: May 14, 2024; 11:38:36 AM -0400

  • CVE-2025-31726 - Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
    Published: April 02, 2025; 11:16:00 AM -0400

  • CVE-2024-31351 - Unrestricted Upload of File with Dangerous Type vulnerability in Copymatic Copymatic – AI Content Writer & Generator.This issue affects Copymatic – AI Content Writer & Generator: from n/a through 1.6.
    Published: May 17, 2024; 3:16:01 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-4061 - The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disa... read CVE-2024-4061
    Published: May 21, 2024; 2:15:09 AM -0400

  • CVE-2025-20660 - In PlayReady TA, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation... read CVE-2025-20660
    Published: April 07, 2025; 12:15:19 AM -0400

  • CVE-2025-20657 - In vdec, there is a possible permission bypass due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patc... read CVE-2025-20657
    Published: April 07, 2025; 12:15:19 AM -0400

  • CVE-2024-4442 - The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it po... read CVE-2024-4442
    Published: May 21, 2024; 3:15:08 AM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2024-33219 - An issue in the component AsIO64.sys of ASUSTeK Computer Inc ASUS SABERTOOTH X99 Driver v1.0.1.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
    Published: May 22, 2024; 11:15:28 AM -0400

  • CVE-2024-33220 - An issue in the component AslO3_64.sys of ASUSTeK Computer Inc AISuite3 v3.03.36 3.03.36 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
    Published: May 22, 2024; 11:15:28 AM -0400

  • CVE-2025-27173 - Substance3D - Modeler versions 1.15.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in ... read CVE-2025-27173
    Published: March 11, 2025; 5:15:42 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-24451 - Substance3D - Painter versions 10.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a... read CVE-2025-24451
    Published: March 11, 2025; 2:15:31 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-1733 - The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthentic... read CVE-2024-1733
    Published: March 16, 2024; 2:15:13 AM -0400

Created September 20, 2022 , Updated August 27, 2024