U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-24892 - openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of change... read CVE-2026-24892
    Published: February 20, 2026; 4:19:27 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27942 - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `pr... read CVE-2026-27942
    Published: February 25, 2026; 9:16:22 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-25896 - fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during en... read CVE-2026-25896
    Published: February 20, 2026; 4:19:27 PM -0500

  • CVE-2026-26974 - Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute a... read CVE-2026-26974
    Published: February 19, 2026; 8:16:00 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-14577 - Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixe... read CVE-2025-14577
    Published: February 24, 2026; 9:16:21 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-1618 - Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
    Published: February 13, 2026; 9:16:09 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-1619 - Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
    Published: February 13, 2026; 9:16:10 AM -0500

    V3.1: 8.3 HIGH

  • CVE-2025-14349 - Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects Fl... read CVE-2025-14349
    Published: February 13, 2026; 9:16:09 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27190 - Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
    Published: February 20, 2026; 4:19:28 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27120 - Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cl... read CVE-2026-27120
    Published: February 20, 2026; 5:16:29 PM -0500

  • CVE-2026-23597 - Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user... read CVE-2026-23597
    Published: February 17, 2026; 4:22:16 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-27168 - SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os... read CVE-2026-27168
    Published: February 20, 2026; 7:16:16 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-64999 - Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can th... read CVE-2025-64999
    Published: February 26, 2026; 6:16:02 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-3054 - A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might b... read CVE-2026-3054
    Published: February 23, 2026; 10:16:02 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-26369 - eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/manageme... read CVE-2026-26369
    Published: February 15, 2026; 11:15:54 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26368 - eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those... read CVE-2026-26368
    Published: February 15, 2026; 11:15:54 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-23595 - An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to ... read CVE-2026-23595
    Published: February 17, 2026; 4:22:15 PM -0500

  • CVE-2026-23596 - A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability.
    Published: February 17, 2026; 4:22:15 PM -0500

  • CVE-2026-23598 - Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user... read CVE-2026-23598
    Published: February 17, 2026; 4:22:16 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-55928 - Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption
    Published: January 23, 2025; 1:15:32 PM -0500

    V3.1: 7.5 HIGH