U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-1691 - A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. Th... read CVE-2026-1691
    Published: January 30, 2026; 12:16:14 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-12679 - A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the ... read CVE-2025-12679
    Published: February 02, 2026; 6:15:58 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-12680 - Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access th... read CVE-2025-12680
    Published: February 02, 2026; 6:15:58 PM -0500

    V3.1: 4.9 MEDIUM

  • CVE-2025-66480 - Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. Th... read CVE-2025-66480
    Published: February 02, 2026; 6:16:00 PM -0500

  • CVE-2025-12773 - A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with... read CVE-2025-12773
    Published: February 02, 2026; 8:15:57 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-12774 - A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obt... read CVE-2025-12774
    Published: February 02, 2026; 9:16:06 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-1810 - A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulat... read CVE-2026-1810
    Published: February 03, 2026; 4:16:12 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-27838 - wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a... read CVE-2026-27838
    Published: February 26, 2026; 6:16:34 PM -0500

    V3.1: 3.5 LOW

  • CVE-2026-27839 - wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any aut... read CVE-2026-27839
    Published: February 26, 2026; 6:16:35 PM -0500

  • CVE-2026-28207 - Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a s... read CVE-2026-28207
    Published: February 26, 2026; 6:16:35 PM -0500

    V3.1: 7.3 HIGH

  • CVE-2026-28226 - Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint construct... read CVE-2026-28226
    Published: February 26, 2026; 6:16:36 PM -0500

  • CVE-2026-3263 - A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the component Security API. Performing a manipulation ... read CVE-2026-3263
    Published: February 26, 2026; 5:20:52 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-3262 - A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack... read CVE-2026-3262
    Published: February 26, 2026; 5:20:51 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-11165 - A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying th... read CVE-2025-11165
    Published: February 24, 2026; 4:16:12 AM -0500

    V3.1: 9.9 CRITICAL

  • CVE-2024-1524 - When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated use... read CVE-2024-1524
    Published: February 24, 2026; 4:16:11 AM -0500

    V3.1: 8.1 HIGH

  • CVE-2026-1229 - The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The ... read CVE-2026-1229
    Published: February 24, 2026; 3:16:28 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-24314 - Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availabil... read CVE-2026-24314
    Published: February 24, 2026; 1:16:35 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-3025 - A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument Fi... read CVE-2026-3025
    Published: February 23, 2026; 4:19:12 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-2945 - A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The at... read CVE-2026-2945
    Published: February 22, 2026; 8:16:12 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2019-25329 - FTP Navigator 8.03 contains a denial of service vulnerability that allows attackers to crash the application by overwriting Structured Exception Handler (SEH) with malicious input. Attackers can generate a payload of 4108 'A' characters followed b... read CVE-2019-25329
    Published: February 12, 2026; 6:16:05 PM -0500

    V3.1: 7.5 HIGH