U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-23193 - E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment un... read CVE-2024-23193
    Published: May 06, 2024; 3:15:07 AM -0400

  • CVE-2024-23186 - E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the pro... read CVE-2024-23186
    Published: May 06, 2024; 3:15:06 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-23187 - Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the v... read CVE-2024-23187
    Published: May 06, 2024; 3:15:06 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-13869 - The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes i... read CVE-2024-13869
    Published: February 22, 2025; 8:15:10 AM -0500

  • CVE-2025-0918 - The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack... read CVE-2025-0918
    Published: February 22, 2025; 8:15:11 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-0953 - The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated atta... read CVE-2025-0953
    Published: February 22, 2025; 8:15:11 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-1853 - A vulnerability was found in Tenda AC8 16.03.34.06 and classified as critical. This issue affects the function sub_49E098 of the file /goform/SetIpMacBind of the component Parameter Handler. The manipulation of the argument list leads to stack-bas... read CVE-2025-1853
    Published: March 03, 2025; 1:15:21 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-1814 - A vulnerability, which was classified as critical, has been found in Tenda AC6 15.03.05.16. Affected by this issue is some unknown functionality of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to stack-based ... read CVE-2025-1814
    Published: March 02, 2025; 6:15:10 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2024-30232 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9.
    Published: March 26, 2024; 8:15:50 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-30177 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.8.
    Published: March 27, 2024; 7:15:47 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2023-50961 - IBM QRadar SIEM 7.5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trus... read CVE-2023-50961
    Published: March 27, 2024; 9:15:46 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-27270 - IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.
    Published: March 27, 2024; 9:15:47 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-28784 - IBM QRadar SIEM 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted ses... read CVE-2024-28784
    Published: March 27, 2024; 9:15:47 AM -0400

  • CVE-2023-36679 - Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6.
    Published: March 28, 2024; 2:15:09 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-1889 - picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Bec... read CVE-2025-1889
    Published: March 03, 2025; 2:15:34 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-27500 - OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which... read CVE-2025-27500
    Published: March 03, 2025; 2:15:36 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2025-27501 - OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an O... read CVE-2025-27501
    Published: March 03, 2025; 2:15:36 PM -0500

  • CVE-2025-1891 - A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to th... read CVE-2025-1891
    Published: March 03, 2025; 7:15:31 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-1892 - A vulnerability was found in shishuocms 1.1. It has been classified as problematic. Affected is an unknown function of the file /manage/folder/add.json of the component Directory Deletion Page. The manipulation of the argument folderName leads to ... read CVE-2025-1892
    Published: March 03, 2025; 8:15:11 PM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2025-21401 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
    Published: February 14, 2025; 7:15:27 PM -0500

Created September 20, 2022 , Updated August 27, 2024