U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-27727 - mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a ... read CVE-2026-27727
    Published: February 25, 2026; 12:25:39 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27821 - GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into s... read CVE-2026-27821
    Published: February 25, 2026; 7:16:26 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-27900 - The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This ... read CVE-2026-27900
    Published: February 25, 2026; 9:16:20 PM -0500

    V3.1: 7.7 HIGH

  • CVE-2026-23949 - jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0.... read CVE-2026-23949
    Published: January 19, 2026; 8:15:57 PM -0500

  • CVE-2026-1427 - Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
    Published: January 26, 2026; 3:16:00 AM -0500

  • CVE-2026-1428 - Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
    Published: January 26, 2026; 4:15:47 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-1429 - Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
    Published: January 26, 2026; 4:15:47 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-9520 - An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
    Published: January 26, 2026; 3:16:08 PM -0500

    V3.1: 6.8 MEDIUM

  • CVE-2025-9521 - Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
    Published: January 26, 2026; 3:16:08 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-9522 - Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
    Published: January 26, 2026; 3:16:09 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2026-0918 - The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service p... read CVE-2026-0918
    Published: January 27, 2026; 1:15:54 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-0919 - The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service r... read CVE-2026-0919
    Published: January 27, 2026; 1:15:55 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-1315 - By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial o... read CVE-2026-1315
    Published: January 27, 2026; 1:15:55 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-29778 - pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a si... read CVE-2026-29778
    Published: March 07, 2026; 11:15:54 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-29779 - UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains... read CVE-2026-29779
    Published: March 07, 2026; 11:15:54 AM -0500

  • CVE-2026-29780 - eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py conta... read CVE-2026-29780
    Published: March 07, 2026; 11:15:55 AM -0500

  • CVE-2026-29781 - Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By e... read CVE-2026-29781
    Published: March 07, 2026; 11:15:55 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-29786 - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwr... read CVE-2026-29786
    Published: March 07, 2026; 11:15:55 AM -0500

    V3.1: 6.3 MEDIUM

  • CVE-2026-29787 - mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage... read CVE-2026-29787
    Published: March 07, 2026; 11:15:55 AM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2026-30832 - Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted... read CVE-2026-30832
    Published: March 07, 2026; 11:15:55 AM -0500