U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2026-50321 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Driver allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:17:30 PM -0400

    V3.1: 7.0 HIGH

  • CVE-2026-50322 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:17:31 PM -0400

  • CVE-2026-58538 - Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:41 PM -0400

  • CVE-2026-58539 - Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
    Published: July 14, 2026; 2:18:41 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-58540 - Improper authorization in Windows Installer allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:41 PM -0400

  • CVE-2026-58541 - Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:41 PM -0400

  • CVE-2026-58542 - Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.
    Published: July 14, 2026; 2:18:42 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-58543 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
    Published: July 14, 2026; 2:18:42 PM -0400

  • CVE-2026-58546 - Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
    Published: July 14, 2026; 2:18:42 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-58547 - Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:42 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-58594 - Integer overflow or wraparound in Windows RDP allows an unauthorized attacker to execute code over a network.
    Published: July 14, 2026; 2:18:43 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-10667 - Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was perf... read CVE-2026-10667
    Published: July 12, 2026; 1:16:24 PM -0400

  • CVE-2026-58613 - Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:44 PM -0400

  • CVE-2026-58617 - Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.
    Published: July 14, 2026; 2:18:44 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-58619 - Use after free in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.
    Published: July 14, 2026; 2:18:44 PM -0400

  • CVE-2026-56353 - n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth (a non-default configuration). In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Cha... read CVE-2026-56353
    Published: July 15, 2026; 8:18:02 AM -0400

  • CVE-2026-59259 - n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credent... read CVE-2026-59259
    Published: July 15, 2026; 8:18:17 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-10668 - The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data I... read CVE-2026-10668
    Published: July 12, 2026; 1:16:24 PM -0400

    V3.1: 4.6 MEDIUM

  • CVE-2026-56398 - Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the p... read CVE-2026-56398
    Published: July 15, 2026; 8:18:02 AM -0400

    V3.1: 9.0 CRITICAL

  • CVE-2026-56400 - open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui ... read CVE-2026-56400
    Published: July 15, 2026; 8:18:03 AM -0400

    V3.1: 9.6 CRITICAL