U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-30967 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a tok... read CVE-2026-30967
    Published: March 10, 2026; 5:16:49 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-30825 - hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This ... read CVE-2026-30825
    Published: March 07, 2026; 1:16:10 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-30827 - express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) t... read CVE-2026-30827
    Published: March 07, 2026; 1:16:10 AM -0500

  • CVE-2026-30828 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.2.
    Published: March 07, 2026; 1:16:10 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-30829 - Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulner... read CVE-2026-30829
    Published: March 07, 2026; 1:16:10 AM -0500

  • CVE-2026-30830 - Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to ... read CVE-2026-30830
    Published: March 07, 2026; 1:16:11 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-30839 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is return... read CVE-2026-30839
    Published: March 07, 2026; 1:16:11 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-30972 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request en... read CVE-2026-30972
    Published: March 10, 2026; 5:16:49 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-3351 - Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
    Published: March 03, 2026; 8:16:21 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-29121 - International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to u... read CVE-2026-29121
    Published: March 04, 2026; 8:15:51 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-29122 - International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to ... read CVE-2026-29122
    Published: March 04, 2026; 9:16:51 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-29123 - A SUID root-owned binary in /home/xd/terminal/XDTerminal in International Data Casting (IDC) SFX2100 on Linux allows a local actor to potentially preform local privilege escalation depending on conditions of the system via execution of the affecte... read CVE-2026-29123
    Published: March 04, 2026; 9:16:51 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-29124 - Multiple SUID root-owned binaries are found in /home/monitor/terminal, /home/monitor/kore-terminal, /home/monitor/IDE-DPack/terminal-dpack, and /home/monitor/IDE-DPack/terminal-dpack2 in International Data Casting (IDC) SFX2100 Satellite Receiver,... read CVE-2026-29124
    Published: March 04, 2026; 9:16:51 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-29125 - IDC SFX2100 Satalite Recievers set the `/etc/resolv.conf` file to be world-writable by any local user, allowing DNS resolver tampering that can redirect network communications, facilitate man-in-the-middle attacks, and cause denial of service.
    Published: March 04, 2026; 9:16:51 PM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2026-29126 - Incorrect permission assignment (world-writable file) in /etc/udhcpc/default.script in International Data Casting (IDC) SFX2100 Satellite Receiver allows a local unprivileged attacker to potentially execute arbitrary commands with root privileges ... read CVE-2026-29126
    Published: March 04, 2026; 9:16:51 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-30840 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2.
    Published: March 07, 2026; 1:16:11 AM -0500

  • CVE-2026-31800 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /class... read CVE-2026-31800
    Published: March 10, 2026; 5:16:49 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2025-41767 - A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR.
    Published: March 09, 2026; 5:16:01 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-41766 - A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise.
    Published: March 09, 2026; 5:16:01 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-41765 - Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for ... read CVE-2025-41765
    Published: March 09, 2026; 5:16:00 AM -0400

    V3.1: 9.1 CRITICAL