U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

NVD Dashboard

CVEs Received and Processed

CVEs Received and Processed

Please Wait

CVE Status Count

Please Wait

CVSS Score Spread

Please Wait

CVSS V3 Score Distribution

Severity Number of Vulns

CVSS V2 Score Distribution

Severity Number of Vulns


For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-3054 - A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might b... read CVE-2026-3054
    Published: February 23, 2026; 10:16:02 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-26369 - eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/manageme... read CVE-2026-26369
    Published: February 15, 2026; 11:15:54 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26368 - eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those... read CVE-2026-26368
    Published: February 15, 2026; 11:15:54 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2026-23595 - An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to ... read CVE-2026-23595
    Published: February 17, 2026; 4:22:15 PM -0500

  • CVE-2026-23596 - A vulnerability in the management API of the affected product could allow an unauthenticated remote attacker to trigger service restarts. Successful exploitation could allow an attacker to disrupt services and negatively impact system availability.
    Published: February 17, 2026; 4:22:15 PM -0500

  • CVE-2026-23598 - Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user... read CVE-2026-23598
    Published: February 17, 2026; 4:22:16 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-23597 - Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user... read CVE-2026-23597
    Published: February 17, 2026; 4:22:16 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-55928 - Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption
    Published: January 23, 2025; 1:15:32 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-55927 - A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.
    Published: January 23, 2025; 1:15:31 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-55926 - A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data
    Published: January 23, 2025; 1:15:31 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2024-55925 - In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to ... read CVE-2024-55925
    Published: January 23, 2025; 12:15:15 PM -0500

  • CVE-2026-28213 - EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attac... read CVE-2026-28213
    Published: February 26, 2026; 6:16:35 PM -0500

  • CVE-2026-28279 - osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname par... read CVE-2026-28279
    Published: February 26, 2026; 6:16:37 PM -0500

    V3.1: 8.4 HIGH

  • CVE-2026-28280 - osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the quer... read CVE-2026-28280
    Published: February 26, 2026; 6:16:37 PM -0500

    V3.1: 8.7 HIGH

  • CVE-2026-3037 - An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or cod... read CVE-2026-3037
    Published: February 26, 2026; 9:16:20 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-11950 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. EduAsist allows Reflected XSS.This issue affects EduAsist: through 27022026. NOTE: The vendor... read CVE-2025-11950
    Published: February 27, 2026; 8:16:01 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-11252 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: through 27022026. NOTE: The vendor ... read CVE-2025-11252
    Published: February 27, 2026; 8:16:01 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-1725 - GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API e... read CVE-2026-1725
    Published: February 25, 2026; 4:16:36 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-1747 - GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make un... read CVE-2026-1747
    Published: February 25, 2026; 4:16:36 PM -0500

  • CVE-2026-2845 - An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server impor... read CVE-2026-2845
    Published: February 25, 2026; 4:16:44 PM -0500