U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2021-47779 - Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScrip... read CVE-2021-47779
    Published: January 15, 2026; 7:16:20 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-1048 - A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the a... read CVE-2026-1048
    Published: January 17, 2026; 12:15:48 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-1049 - A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the ... read CVE-2026-1049
    Published: January 17, 2026; 1:15:48 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-1066 - A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be laun... read CVE-2026-1066
    Published: January 17, 2026; 4:15:49 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-1106 - A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the ... read CVE-2026-1106
    Published: January 17, 2026; 8:15:51 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-1107 - A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. T... read CVE-2026-1107
    Published: January 17, 2026; 8:15:51 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-15438 - A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deseria... read CVE-2025-15438
    Published: January 02, 2026; 10:15:59 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-15437 - A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing a manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated r... read CVE-2025-15437
    Published: January 02, 2026; 4:15:42 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-14262 - A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved ... read CVE-2025-14262
    Published: December 08, 2025; 5:16:01 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2025-53786 - On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. F... read CVE-2025-53786
    Published: August 06, 2025; 12:15:30 PM -0400

  • CVE-2024-34193 - smanga 3.2.7 does not filter the file parameter at the PHP/get file flow.php interface, resulting in a path traversal vulnerability that can cause arbitrary file reading.
    Published: May 20, 2024; 2:15:10 PM -0400

  • CVE-2026-21725 - A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access ... read CVE-2026-21725
    Published: February 25, 2026; 8:16:05 AM -0500

    V3.1: 2.0 LOW

  • CVE-2026-0704 - In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
    Published: February 25, 2026; 8:16:04 AM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2026-26104 - A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does... read CVE-2026-26104
    Published: February 25, 2026; 6:16:03 AM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2026-26103 - A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks da... read CVE-2026-26103
    Published: February 25, 2026; 6:16:02 AM -0500

    V3.1: 7.1 HIGH

  • CVE-2025-5781 - Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 befo... read CVE-2025-5781
    Published: February 24, 2026; 10:16:04 PM -0500

    V3.1: 5.2 MEDIUM

  • CVE-2026-25891 - Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affec... read CVE-2026-25891
    Published: February 24, 2026; 5:16:31 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-25882 - Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerabili... read CVE-2026-25882
    Published: February 24, 2026; 4:16:29 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-22553 - All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
    Published: February 24, 2026; 4:16:28 PM -0500

  • CVE-2026-21410 - InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
    Published: February 24, 2026; 4:16:25 PM -0500