U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-3516 - The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting at... read CVE-2025-3516
    Published: May 16, 2025; 2:15:46 AM -0400

  • CVE-2019-25220 - Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a flood of low-difficulty header chains (aka a "Chain Width Expansion" attack) because a node does not first verify that a presented chain has enoug... read CVE-2019-25220
    Published: November 17, 2024; 11:15:04 PM -0500

  • CVE-2024-55563 - Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic pr... read CVE-2024-55563
    Published: December 08, 2024; 8:15:06 PM -0500

  • CVE-2025-32728 - In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
    Published: April 09, 2025; 10:15:30 PM -0400

    V3.1: 3.8 LOW

  • CVE-2024-35202 - Bitcoin Core before 25.0 allows remote attackers to cause a denial of service (blocktxn message-handling assertion and node exit) by including transactions in a blocktxn message that are not committed to in a block's merkle root. FillBlock can be ... read CVE-2024-35202
    Published: October 10, 2024; 9:15:14 AM -0400

  • CVE-2019-3728 - RSA BSAFE Crypto-C Micro Edition versions from 4.0.0.0 before 4.0.5.4 and from 4.1.0 before 4.1.4, RSA BSAFE Micro Edition Suite versions from 4.0.0 before 4.0.13 and from 4.1.0 before 4.4 and RSA Crypto-C versions from 6.0.0 through 6.4.* are vul... read CVE-2019-3728
    Published: September 30, 2019; 6:15:10 PM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2025-27980 - cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=.
    Published: April 15, 2025; 11:16:07 AM -0400

  • CVE-2025-24977 - OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server ... read CVE-2025-24977
    Published: May 05, 2025; 1:18:47 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2024-45805 - OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT). This is due to inadequa... read CVE-2024-45805
    Published: December 26, 2024; 5:15:15 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2024-37155 - OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra... read CVE-2024-37155
    Published: November 18, 2024; 10:15:06 AM -0500

    V3.1: 8.2 HIGH

  • CVE-2025-44854 - TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 10:15:45 AM -0400

  • CVE-2025-44847 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 1:15:51 PM -0400

  • CVE-2025-44846 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44845 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44844 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44843 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted requ... read CVE-2025-44843
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44842 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44841 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the version parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted ... read CVE-2025-44841
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44840 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the svn parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted requ... read CVE-2025-44840
    Published: May 01, 2025; 1:15:50 PM -0400

  • CVE-2025-44839 - TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the magicid parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted ... read CVE-2025-44839
    Published: May 01, 2025; 1:15:50 PM -0400

Created September 20, 2022 , Updated August 27, 2024