U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-23808 - A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could ... read CVE-2026-23808
    Published: March 04, 2026; 12:16:18 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2026-23809 - A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-B... read CVE-2026-23809
    Published: March 04, 2026; 12:16:18 PM -0500

    V3.1: 7.6 HIGH

  • CVE-2026-23810 - A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addressed traffic and re-encrypt it using the Group Te... read CVE-2026-23810
    Published: March 04, 2026; 12:16:19 PM -0500

    V3.1: 3.1 LOW

  • CVE-2026-23811 - A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing policy enforcement, successful exploitation - ... read CVE-2026-23811
    Published: March 04, 2026; 12:16:19 PM -0500

    V3.1: 3.1 LOW

  • CVE-2026-23812 - A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique. Successful exploitation enables the redirection... read CVE-2026-23812
    Published: March 04, 2026; 12:16:19 PM -0500

    V3.1: 4.2 MEDIUM

  • CVE-2026-28436 - Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. ... read CVE-2026-28436
    Published: March 05, 2026; 4:16:22 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-29077 - Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been pat... read CVE-2026-29077
    Published: March 05, 2026; 4:16:22 PM -0500

  • CVE-2025-48495 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another u... read CVE-2025-48495
    Published: June 02, 2025; 8:15:25 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-48494 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the f... read CVE-2025-48494
    Published: June 02, 2025; 7:15:22 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-29084 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The ha... read CVE-2026-29084
    Published: March 06, 2026; 12:16:41 AM -0500

    V3.1: 4.6 MEDIUM

  • CVE-2026-28683 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patc... read CVE-2026-28683
    Published: March 06, 2026; 12:16:38 AM -0500

  • CVE-2026-29060 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permi... read CVE-2026-29060
    Published: March 06, 2026; 12:16:40 AM -0500

    V3.1: 5.0 MEDIUM

  • CVE-2026-28682 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fi... read CVE-2026-28682
    Published: March 06, 2026; 12:16:38 AM -0500

    V3.1: 6.4 MEDIUM

  • CVE-2026-29061 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermM... read CVE-2026-29061
    Published: March 06, 2026; 12:16:40 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-29081 - Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This i... read CVE-2026-29081
    Published: March 05, 2026; 4:16:22 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-26033 - UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a user with write access to a directory on the system drive to execute arbitrary code with SYSTEM pr... read CVE-2026-26033
    Published: March 04, 2026; 10:15:54 PM -0500

  • CVE-2026-26034 - UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Incorrect Default Permissions (CWE-276) vulnerability that allows an attacker to execute arbitrary code with SYSTEM privileges by causing the application to load a specia... read CVE-2026-26034
    Published: March 04, 2026; 10:15:54 PM -0500

  • CVE-2026-29127 - The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitorĀ user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, w... read CVE-2026-29127
    Published: March 04, 2026; 10:15:54 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-23767 - ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits comm... read CVE-2026-23767
    Published: March 05, 2026; 1:16:22 AM -0500

  • CVE-2026-21786 - HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs.
    Published: March 05, 2026; 3:15:58 AM -0500