U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-28485 - OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or loca... read CVE-2026-28485
    Published: March 05, 2026; 5:16:23 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-28486 - OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives tha... read CVE-2026-28486
    Published: March 05, 2026; 5:16:23 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-29606 - OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attack... read CVE-2026-29606
    Published: March 05, 2026; 5:16:23 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-29609 - OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by ser... read CVE-2026-29609
    Published: March 05, 2026; 5:16:24 PM -0500

  • CVE-2026-29610 - OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers wi... read CVE-2026-29610
    Published: March 05, 2026; 5:16:24 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-29611 - OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBub... read CVE-2026-29611
    Published: March 05, 2026; 5:16:24 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-29612 - OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause... read CVE-2026-29612
    Published: March 05, 2026; 5:16:24 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-29613 - OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of c... read CVE-2026-29613
    Published: March 05, 2026; 5:16:24 PM -0500

    V3.1: 5.9 MEDIUM

  • CVE-2018-25199 - OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. Attackers can inject SQL commands via the search parameter in se... read CVE-2018-25199
    Published: March 06, 2026; 8:16:03 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2018-25200 - OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with para... read CVE-2018-25200
    Published: March 06, 2026; 8:16:03 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-29064 - Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destina... read CVE-2026-29064
    Published: March 06, 2026; 12:16:34 PM -0500

  • CVE-2026-29075 - Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privil... read CVE-2026-29075
    Published: March 06, 2026; 12:16:34 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-29082 - Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html w... read CVE-2026-29082
    Published: March 06, 2026; 12:16:34 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-69644 - An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdum... read CVE-2025-69644
    Published: March 06, 2026; 1:16:16 PM -0500

  • CVE-2026-3665 - A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_consumer.cpp of the component XLSX File Parser. ... read CVE-2026-3665
    Published: March 07, 2026; 11:15:56 AM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-3662 - A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command injection. It is possible to launch the attack r... read CVE-2026-3662
    Published: March 07, 2026; 9:16:06 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-69651 - GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_... read CVE-2025-69651
    Published: March 06, 2026; 1:16:16 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-3664 - A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. E... read CVE-2026-3664
    Published: March 07, 2026; 10:15:56 AM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-3663 - A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Perfor... read CVE-2026-3663
    Published: March 07, 2026; 10:15:56 AM -0500

    V3.1: 7.1 HIGH

  • CVE-2026-3463 - A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buf... read CVE-2026-3463
    Published: March 03, 2026; 7:16:06 AM -0500

    V3.1: 7.8 HIGH