U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-34788 - Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string ... read CVE-2026-34788
    Published: April 03, 2026; 7:17:05 PM -0400

  • CVE-2026-34824 - Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unau... read CVE-2026-34824
    Published: April 03, 2026; 7:17:05 PM -0400

  • CVE-2026-34933 - Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publis... read CVE-2026-34933
    Published: April 03, 2026; 7:17:05 PM -0400

  • CVE-2026-33943 - Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (R... read CVE-2026-33943
    Published: March 27, 2026; 6:16:21 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-5858 - Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5859 - Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5860 - Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5861 - Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5862 - Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5863 - Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5864 - Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:25 PM -0400

  • CVE-2026-5865 - Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:26 PM -0400

  • CVE-2026-5866 - Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:26 PM -0400

  • CVE-2026-32725 - SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path fr... read CVE-2026-32725
    Published: March 31, 2026; 2:16:50 PM -0400

  • CVE-2026-32726 - SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison w... read CVE-2026-32726
    Published: March 31, 2026; 2:16:50 PM -0400

  • CVE-2026-34586 - PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence — it does not check SharedPdf.inactive (expirati... read CVE-2026-34586
    Published: March 31, 2026; 5:16:31 PM -0400

  • CVE-2026-3468 - A stored Cross-Site Scripting (XSS) vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin use... read CVE-2026-3468
    Published: March 31, 2026; 5:16:32 PM -0400

  • CVE-2026-3469 - A denial-of-service (DoS) vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the application to become unresponsive.
    Published: March 31, 2026; 5:16:33 PM -0400

  • CVE-2026-5871 - Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Published: April 08, 2026; 6:16:26 PM -0400

  • CVE-2025-52909 - An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a ... read CVE-2025-52909
    Published: April 07, 2026; 11:17:32 AM -0400

Created September 20, 2022 , Updated August 27, 2024