U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-7313 - CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful ... read CVE-2026-7313
    Published: June 02, 2026; 10:17:14 AM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2026-7312 - CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4... read CVE-2026-7312
    Published: June 02, 2026; 10:17:14 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-7195 - CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.863... read CVE-2026-7195
    Published: June 02, 2026; 10:17:14 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-7198 - CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, an... read CVE-2026-7198
    Published: June 02, 2026; 10:17:14 AM -0400

  • CVE-2026-7201 - CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of o... read CVE-2026-7201
    Published: June 02, 2026; 10:17:14 AM -0400

  • CVE-2026-48501 - GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Th... read CVE-2026-48501
    Published: May 29, 2026; 12:16:31 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-40425 - The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
    Published: May 29, 2026; 3:16:23 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2026-45286 - Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggest... read CVE-2026-45286
    Published: June 01, 2026; 3:16:50 PM -0400

  • CVE-2026-45285 - Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email ad... read CVE-2026-45285
    Published: June 01, 2026; 3:16:50 PM -0400

  • CVE-2026-45284 - Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has be... read CVE-2026-45284
    Published: June 01, 2026; 3:16:50 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-37232 - An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c... read CVE-2026-37232
    Published: June 01, 2026; 3:16:33 PM -0400

  • CVE-2026-30963 - Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, i... read CVE-2026-30963
    Published: June 01, 2026; 3:16:22 PM -0400

    V3.1: 2.7 LOW

  • CVE-2026-0072 - In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not ne... read CVE-2026-0072
    Published: June 01, 2026; 3:16:19 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-45149 - The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence gene... read CVE-2026-45149
    Published: May 29, 2026; 4:16:25 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-37978 - A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role ... read CVE-2026-37978
    Published: May 19, 2026; 8:16:17 AM -0400

  • CVE-2026-9308 - Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitra... read CVE-2026-9308
    Published: June 01, 2026; 9:16:33 AM -0400

  • CVE-2026-9309 - Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal p... read CVE-2026-9309
    Published: June 01, 2026; 9:16:33 AM -0400

  • CVE-2026-10270 - A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may ... read CVE-2026-10270
    Published: June 01, 2026; 1:16:43 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-45247 - Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarm... read CVE-2026-45247
    Published: May 26, 2026; 11:16:39 AM -0400

  • CVE-2026-37981 - A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally ide... read CVE-2026-37981
    Published: May 19, 2026; 8:16:18 AM -0400