U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-29048 - HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malici... read CVE-2026-29048
    Published: March 06, 2026; 2:16:01 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-28802 - Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verificat... read CVE-2026-28802
    Published: March 06, 2026; 2:16:01 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-29076 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engin... read CVE-2026-29076
    Published: March 07, 2026; 11:15:54 AM -0500

  • CVE-2025-65945 - auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Appli... read CVE-2025-65945
    Published: December 04, 2025; 2:16:05 PM -0500

  • CVE-2026-22850 - Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbit... read CVE-2026-22850
    Published: January 19, 2026; 12:15:50 PM -0500

  • CVE-2026-28350 - lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, th... read CVE-2026-28350
    Published: March 05, 2026; 3:16:16 PM -0500

  • CVE-2026-28348 - lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape... read CVE-2026-28348
    Published: March 05, 2026; 3:16:16 PM -0500

  • CVE-2026-28222 - Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access... read CVE-2026-28222
    Published: March 05, 2026; 3:16:15 PM -0500

  • CVE-2026-28223 - Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation ... read CVE-2026-28223
    Published: March 05, 2026; 3:16:15 PM -0500

  • CVE-2026-2751 - Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central... read CVE-2026-2751
    Published: February 27, 2026; 9:16:30 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27829 - Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides ... read CVE-2026-27829
    Published: February 25, 2026; 8:16:24 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-59905 - Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. This flaw allows the injection of arbitrary client-side scripts, which are immediately re... read CVE-2025-59905
    Published: February 16, 2026; 5:16:07 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-59904 - Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessi... read CVE-2025-59904
    Published: February 16, 2026; 5:16:07 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-28472 - OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without pr... read CVE-2026-28472
    Published: March 05, 2026; 5:16:21 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26018 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnera... read CVE-2026-26018
    Published: March 06, 2026; 11:16:10 AM -0500

  • CVE-2026-26017 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the... read CVE-2026-26017
    Published: March 06, 2026; 11:16:10 AM -0500

    V3.1: 6.3 MEDIUM

  • CVE-2026-28469 - OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit fir... read CVE-2026-28469
    Published: March 05, 2026; 5:16:20 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-28395 - OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS ser... read CVE-2026-28395
    Published: March 05, 2026; 5:16:16 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2026-28394 - OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attacker... read CVE-2026-28394
    Published: March 05, 2026; 5:16:15 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-28288 - Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
    Published: February 27, 2026; 4:16:18 PM -0500

    V3.1: 5.3 MEDIUM