U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-27953 - ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON... read CVE-2026-27953
    Published: March 19, 2026; 5:17:09 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-34085 - fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.
    Published: March 25, 2026; 1:17:09 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-28867 - This issue was addressed with improved authentication. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to leak sensit... read CVE-2026-28867
    Published: March 24, 2026; 9:17:10 PM -0400

  • CVE-2026-33210 - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_k... read CVE-2026-33210
    Published: March 20, 2026; 7:16:46 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-33179 - libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion.... read CVE-2026-33179
    Published: March 20, 2026; 5:17:16 PM -0400

  • CVE-2026-33156 - ScreenToGif is a screen recording tool. In versions from 2.42.1 and prior, ScreenToGif is vulnerable to DLL sideloading via version.dll . When the portable executable is run from a user-writable directory, it loads version.dll from the application... read CVE-2026-33156
    Published: March 20, 2026; 5:17:16 PM -0400

  • CVE-2026-33147 - GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmt_remote_dataset_id function within s... read CVE-2026-33147
    Published: March 20, 2026; 5:17:15 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2018-25185 - Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint wi... read CVE-2018-25185
    Published: March 26, 2026; 8:16:04 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2018-25195 - Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username p... read CVE-2018-25195
    Published: March 26, 2026; 8:16:04 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2018-25201 - School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads ... read CVE-2018-25201
    Published: March 26, 2026; 8:16:04 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-42302 - In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hiera... read CVE-2024-42302
    Published: August 17, 2024; 5:15:10 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-42314 - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate 'add_size' after we dropped our refer... read CVE-2024-42314
    Published: August 17, 2024; 5:15:11 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-43839 - In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifie... read CVE-2024-43839
    Published: August 17, 2024; 6:15:09 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2023-45771 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Contact Form With Captcha allows Reflected XSS.This issue affects Contact Form With Captcha: from n/a through 1.6.8.
    Published: March 26, 2024; 5:15:09 AM -0400

  • CVE-2005-0012 - Format string vulnerability in the a_Interface_msg function in Dillo before 0.8.3-r4 allows remote attackers to execute arbitrary code via format string specifiers in a web page.
    Published: May 02, 2005; 12:00:00 AM -0400

    V2.0: 7.5 HIGH

  • CVE-2022-3380 - The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is p... read CVE-2022-3380
    Published: October 31, 2022; 12:15:11 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-53521 - When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: October 15, 2025; 10:15:48 AM -0400

  • CVE-2026-30892 - crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID ... read CVE-2026-30892
    Published: March 25, 2026; 8:16:38 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-27496 - n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. U... read CVE-2026-27496
    Published: March 25, 2026; 2:16:31 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33696 - n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmi... read CVE-2026-33696
    Published: March 25, 2026; 2:16:32 PM -0400

    V3.1: 8.8 HIGH