U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-46331 - OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass wh... read CVE-2025-46331
    Published: April 30, 2025; 3:15:55 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-56323 - OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or List... read CVE-2024-56323
    Published: January 13, 2025; 5:15:14 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-66947 - SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitatio... read CVE-2025-66947
    Published: December 26, 2025; 10:15:47 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-55488 - A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via a... read CVE-2024-55488
    Published: January 22, 2025; 11:15:29 AM -0500

  • CVE-2025-24964 - Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` o... read CVE-2025-24964
    Published: February 04, 2025; 3:15:50 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-24963 - Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker ... read CVE-2025-24963
    Published: February 04, 2025; 3:15:50 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-24786 - WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 dat... read CVE-2025-24786
    Published: February 06, 2025; 2:15:20 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2025-24787 - WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. ... read CVE-2025-24787
    Published: February 06, 2025; 2:15:20 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-25196 - OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain C... read CVE-2025-25196
    Published: February 19, 2025; 4:15:15 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-63206 - An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser.
    Published: November 19, 2025; 1:15:48 PM -0500

  • CVE-2025-63878 - Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page.
    Published: November 19, 2025; 11:15:49 AM -0500

  • CVE-2025-56499 - Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file.
    Published: November 18, 2025; 2:15:49 PM -0500

  • CVE-2025-35029 - Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when... read CVE-2025-35029
    Published: November 20, 2025; 3:16:22 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-64751 - OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnera... read CVE-2025-64751
    Published: November 20, 2025; 9:15:43 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-65111 - SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union r... read CVE-2025-65111
    Published: November 21, 2025; 5:16:33 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2016-15048 - AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and ... read CVE-2016-15048
    Published: October 22, 2025; 11:15:30 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-53420 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows Reflected XSS.This issue affects WPLMS: from n/a through <= 1.9.9.8.
    Published: October 22, 2025; 11:15:49 AM -0400

  • CVE-2025-61413 - A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.
    Published: October 23, 2025; 2:16:23 PM -0400

  • CVE-2025-62236 - The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.
    Published: October 23, 2025; 4:15:40 PM -0400

  • CVE-2025-59500 - Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
    Published: October 23, 2025; 6:15:48 PM -0400

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024