U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-30959 - OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike th... read CVE-2026-30959
    Published: March 10, 2026; 2:18:55 PM -0400

    V3.1: 5.0 MEDIUM

  • CVE-2026-29771 - Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial ... read CVE-2026-29771
    Published: March 07, 2026; 11:15:54 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-3483 - An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
    Published: March 10, 2026; 2:19:01 PM -0400

  • CVE-2026-29195 - Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly... read CVE-2026-29195
    Published: March 07, 2026; 12:15:51 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-1695 - An XSS vulnerability affects the OAuth web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to trick a legitimate user into loading conten... read CVE-2026-1695
    Published: February 26, 2026; 3:16:19 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-30921 - OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current... read CVE-2026-30921
    Published: March 10, 2026; 1:40:16 PM -0400

  • CVE-2026-29196 - Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. ... read CVE-2026-29196
    Published: March 07, 2026; 12:15:52 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-30920 - OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true withou... read CVE-2026-30920
    Published: March 10, 2026; 1:40:16 PM -0400

  • CVE-2026-30887 - OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted u... read CVE-2026-30887
    Published: March 10, 2026; 1:40:14 PM -0400

  • CVE-2026-27275 - Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a v... read CVE-2026-27275
    Published: March 10, 2026; 3:17:19 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-27269 - Premiere Pro versions 25.5 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to ex... read CVE-2026-27269
    Published: March 10, 2026; 3:17:18 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2023-41974 - A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An app may be able to execute arbitrary code with kernel privileges.
    Published: January 10, 2024; 5:15:49 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2023-43000 - A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory cor... read CVE-2023-43000
    Published: November 05, 2025; 2:15:47 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-23222 - A type confusion issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may le... read CVE-2024-23222
    Published: January 22, 2024; 8:15:11 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-28442 - ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting... read CVE-2026-28442
    Published: March 05, 2026; 4:16:22 PM -0500

  • CVE-2026-27727 - mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a ... read CVE-2026-27727
    Published: February 25, 2026; 12:25:39 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-27821 - GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into s... read CVE-2026-27821
    Published: February 25, 2026; 7:16:26 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-27900 - The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This ... read CVE-2026-27900
    Published: February 25, 2026; 9:16:20 PM -0500

    V3.1: 7.7 HIGH

  • CVE-2026-23949 - jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0.... read CVE-2026-23949
    Published: January 19, 2026; 8:15:57 PM -0500

  • CVE-2026-1427 - Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
    Published: January 26, 2026; 3:16:00 AM -0500