U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-28343 - CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inse... read CVE-2026-28343
    Published: March 05, 2026; 3:16:16 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-22723 - Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.
    Published: March 05, 2026; 4:16:14 PM -0500

  • CVE-2026-28413 - Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions ... read CVE-2026-28413
    Published: March 05, 2026; 4:16:22 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-21622 - Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a pa... read CVE-2026-21622
    Published: March 05, 2026; 5:16:12 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-32594 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chai... read CVE-2026-32594
    Published: March 16, 2026; 10:19:38 AM -0400

    V3.1: 7.3 HIGH

  • CVE-2026-28477 - OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callbac... read CVE-2026-28477
    Published: March 05, 2026; 5:16:22 PM -0500

    V3.1: 7.1 HIGH

  • CVE-2026-28478 - OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to ... read CVE-2026-28478
    Published: March 05, 2026; 5:16:22 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-28479 - OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache po... read CVE-2026-28479
    Published: March 05, 2026; 5:16:22 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2026-32262 - Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsani... read CVE-2026-32262
    Published: March 16, 2026; 4:16:19 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-32263 - Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(... read CVE-2026-32263
    Published: March 16, 2026; 4:16:19 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-32264 - Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. ... read CVE-2026-32264
    Published: March 16, 2026; 4:16:19 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2026-28480 - OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to... read CVE-2026-28480
    Published: March 05, 2026; 5:16:22 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-32267 - Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate thei... read CVE-2026-32267
    Published: March 16, 2026; 4:16:19 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-28481 - OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When ... read CVE-2026-28481
    Published: March 05, 2026; 5:16:22 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-28779 - Apache Airflow versions 3.1.0 through 3.1.7 session token (_token) in cookies is set to path=/ regardless of the configured [webserver] base_url or [api] base_url. This allows any application co-hosted under the same domain to capture valid Airflo... read CVE-2026-28779
    Published: March 17, 2026; 7:16:11 AM -0400

  • CVE-2026-28563 - Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are... read CVE-2026-28563
    Published: March 17, 2026; 7:16:11 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-30911 - Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other... read CVE-2026-30911
    Published: March 17, 2026; 7:16:11 AM -0400

  • CVE-2021-47254 - In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in gfs2_glock_shrink_scan The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to remove the glock from the lru list in __gfs2_glo... read CVE-2021-47254
    Published: May 21, 2024; 11:15:14 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-42079 - In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In... read CVE-2024-42079
    Published: July 29, 2024; 12:15:07 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2023-52658 - In the Linux kernel, the following vulnerability has been resolved: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b. The revert is required due to the suspicion ... read CVE-2023-52658
    Published: May 17, 2024; 8:15:09 AM -0400

    V3.1: 5.5 MEDIUM