U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-1963 - A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgra... read CVE-2026-1963
    Published: February 05, 2026; 4:15:53 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26996 - minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildca... read CVE-2026-26996
    Published: February 19, 2026; 10:16:01 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-14009 - A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows atta... read CVE-2025-14009
    Published: February 18, 2026; 1:24:19 PM -0500

  • CVE-2026-24105 - An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.
    Published: March 02, 2026; 12:16:32 PM -0500

  • CVE-2025-70252 - An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which lea... read CVE-2025-70252
    Published: March 02, 2026; 12:16:28 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-28268 - Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a... read CVE-2026-28268
    Published: February 27, 2026; 4:16:18 PM -0500

  • CVE-2019-25491 - Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint... read CVE-2019-25491
    Published: February 27, 2026; 1:16:04 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2019-25493 - Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with m... read CVE-2019-25493
    Published: February 27, 2026; 1:16:04 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2019-25492 - Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with m... read CVE-2019-25492
    Published: February 27, 2026; 1:16:04 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2019-25490 - Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-bas... read CVE-2019-25490
    Published: February 27, 2026; 1:16:04 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2019-25489 - Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal end... read CVE-2019-25489
    Published: February 27, 2026; 1:16:03 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2019-25498 - Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint ... read CVE-2019-25498
    Published: March 04, 2026; 1:16:08 PM -0500

    V3.1: 8.2 HIGH

  • CVE-2019-25499 - Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send POST requests to get_job_applications_ajax.php wi... read CVE-2019-25499
    Published: March 04, 2026; 1:16:08 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2019-25500 - Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endp... read CVE-2019-25500
    Published: March 04, 2026; 1:16:08 PM -0500

    V3.1: 8.2 HIGH

  • CVE-2026-26377 - Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.
    Published: March 05, 2026; 11:16:16 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-11143 - The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces ... read CVE-2025-11143
    Published: March 05, 2026; 5:15:54 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-3431 - On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB insta... read CVE-2026-3431
    Published: March 02, 2026; 8:16:05 AM -0500

  • CVE-2026-3432 - On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrie... read CVE-2026-3432
    Published: March 02, 2026; 8:16:05 AM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2025-66597 - A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected product... read CVE-2025-66597
    Published: February 09, 2026; 12:16:24 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-66596 - A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate request headers. When an attacker inserts an invalid host header, users could be redirected to malicious sites. T... read CVE-2025-66596
    Published: February 09, 2026; 12:16:23 AM -0500

    V3.1: 6.1 MEDIUM