U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-41244 - VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabl... read CVE-2025-41244
    Published: September 29, 2025; 1:15:30 PM -0400

  • CVE-2025-2746 - An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administra... read CVE-2025-2746
    Published: March 24, 2025; 3:15:51 PM -0400

  • CVE-2025-2747 - An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative o... read CVE-2025-2747
    Published: March 24, 2025; 3:15:51 PM -0400

  • CVE-2025-34028 - The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote ... read CVE-2025-34028
    Published: April 22, 2025; 1:16:48 PM -0400

    V3.1: 10.0 CRITICAL

  • CVE-2025-3248 - Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
    Published: April 07, 2025; 11:15:44 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-63298 - A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a speci... read CVE-2025-63298
    Published: October 30, 2025; 3:16:35 PM -0400

  • CVE-2022-0866 - This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomin... read CVE-2022-0866
    Published: May 10, 2022; 5:15:08 PM -0400

    V3.1: 5.3 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2024-29197 - Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a... read CVE-2024-29197
    Published: March 26, 2024; 11:15:49 AM -0400

  • CVE-2024-51115 - DCME-320 v7.4.12.90 was discovered to contain a command injection vulnerability.
    Published: November 05, 2024; 6:15:04 PM -0500

  • CVE-2024-11491 - A vulnerability was found in 115cms up to 20240807. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php/admin/web/useradmin.html. The manipulation of the argument ks leads to cross site scr... read CVE-2024-11491
    Published: November 20, 2024; 12:15:16 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2024-37848 - SQL Injection vulnerability in Online-Bookstore-Project-In-PHP v1.0 allows a local attacker to execute arbitrary code via the admin_delete.php component.
    Published: June 17, 2024; 10:15:11 AM -0400

  • CVE-2025-23143 - In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately fol... read CVE-2025-23143
    Published: May 01, 2025; 9:15:50 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-23142 - In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoi... read CVE-2025-23142
    Published: May 01, 2025; 9:15:50 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-23141 - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case w... read CVE-2025-23141
    Published: May 01, 2025; 9:15:49 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-23140 - In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoi... read CVE-2025-23140
    Published: May 01, 2025; 9:15:49 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2024-49336 - IBM Security Guardium 11.5 and 12.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
    Published: December 19, 2024; 1:15:22 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-3986 - A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\Cas... read CVE-2025-3986
    Published: April 27, 2025; 5:15:16 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-3985 - A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageReg... read CVE-2025-3985
    Published: April 27, 2025; 5:15:16 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2025-3984 - A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredS... read CVE-2025-3984
    Published: April 27, 2025; 4:15:15 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-59185 - External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network.
    Published: October 14, 2025; 1:15:56 PM -0400

    V3.1: 6.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024