U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-3406 - A vulnerability was found in Nothings stb up to f056911. It has been classified as problematic. Affected is the function stbhw_build_tileset_from_image of the component Header Array Handler. The manipulation of the argument w leads to out-of-bound... read CVE-2025-3406
    Published: April 08, 2025; 12:15:31 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-3408 - A vulnerability was found in Nothings stb up to f056911. It has been rated as critical. Affected by this issue is the function stb_dupreplace. The manipulation leads to integer overflow. The attack may be launched remotely. Continious delivery wit... read CVE-2025-3408
    Published: April 08, 2025; 12:15:32 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-3407 - A vulnerability was found in Nothings stb up to f056911. It has been declared as critical. Affected by this vulnerability is the function stbhw_build_tileset_from_image. The manipulation of the argument h_count/v_count leads to out-of-bounds read.... read CVE-2025-3407
    Published: April 08, 2025; 12:15:31 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-3409 - A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate t... read CVE-2025-3409
    Published: April 08, 2025; 1:15:40 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-4342 - A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of... read CVE-2026-4342
    Published: March 19, 2026; 6:16:43 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-24352 - PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated... read CVE-2026-24352
    Published: February 27, 2026; 7:16:03 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-24351 - PluXml CMS is vulnerable to Stored XSS in Static Pages editing functionality. Attacker with editing privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. The vendor was notified early... read CVE-2026-24351
    Published: February 27, 2026; 7:16:03 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-31435 - In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process... read CVE-2026-31435
    Published: April 22, 2026; 10:16:36 AM -0400

  • CVE-2026-31436 - In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found ins... read CVE-2026-31436
    Published: April 22, 2026; 10:16:36 AM -0400

  • CVE-2026-31437 - In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unco... read CVE-2026-31437
    Published: April 22, 2026; 10:16:36 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-31438 - In the Linux kernel, the following vulnerability has been resolved: netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators When a process crashes and the kernel writes a core dump to a 9P filesystem, __kernel_write() creates an ITER... read CVE-2026-31438
    Published: April 22, 2026; 10:16:37 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-31439 - In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap init error handling devm_regmap_init_mmio returns an ERR_PTR() upon error, not NULL. Fix the error check and also fix the error message. Use ... read CVE-2026-31439
    Published: April 22, 2026; 10:16:37 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-3960 - A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechan... read CVE-2026-3960
    Published: April 23, 2026; 6:16:17 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-8757 - A vulnerability was found in adenhq hive up to 0.11.0. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. T... read CVE-2026-8757
    Published: May 17, 2026; 10:16:21 AM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-8765 - A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation ... read CVE-2026-8765
    Published: May 17, 2026; 7:17:02 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-8766 - A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CO... read CVE-2026-8766
    Published: May 17, 2026; 7:17:02 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-25244 - WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration... read CVE-2026-25244
    Published: May 18, 2026; 5:16:39 PM -0400

  • CVE-2026-42844 - Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account ... read CVE-2026-42844
    Published: May 12, 2026; 6:16:34 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-42290 - protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacter... read CVE-2026-42290
    Published: May 13, 2026; 12:16:47 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-44288 - protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of re... read CVE-2026-44288
    Published: May 13, 2026; 12:16:55 PM -0400