U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-13580 - The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack
    Published: March 11, 2025; 2:15:25 AM -0400

  • CVE-2024-13574 - The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
    Published: March 11, 2025; 2:15:25 AM -0400

  • CVE-2020-17144 - Microsoft Exchange Remote Code Execution Vulnerability
    Published: December 09, 2020; 7:15:16 PM -0500

    V2.0: 6.0 MEDIUM

  • CVE-2025-31688 - Cross-Site Request Forgery (CSRF) vulnerability in Drupal Configuration Split allows Cross Site Request Forgery.This issue affects Configuration Split: from 0.0.0 before 1.10.0, from 2.0.0 before 2.0.2.
    Published: March 31, 2025; 6:15:21 PM -0400

  • CVE-2025-31687 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SpamSpan filter allows Cross-Site Scripting (XSS).This issue affects SpamSpan filter: from 0.0.0 before 3.2.1.
    Published: March 31, 2025; 6:15:21 PM -0400

  • CVE-2025-31684 - Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery.This issue affects OAuth2 Client: from 0.0.0 before 4.1.3.
    Published: March 31, 2025; 6:15:20 PM -0400

  • CVE-2024-13262 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal View Password allows Cross-Site Scripting (XSS).This issue affects View Password: from 0.0.0 before 6.0.4.
    Published: January 09, 2025; 3:15:34 PM -0500

  • CVE-2024-11059 - A vulnerability was found in Project Worlds Free Download Online Shopping System up to 192.168.1.88. It has been rated as critical. This issue affects some unknown processing of the file /online-shopping-webvsite-in-php-master/success.php. The man... read CVE-2024-11059
    Published: November 10, 2024; 7:15:13 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-5004 - A vulnerability was found in projectworlds Online Time Table Generator 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/add_course.php. The manipulation of the argument c/subname leads to sql injection.... read CVE-2025-5004
    Published: May 20, 2025; 7:15:19 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-5003 - A vulnerability has been found in projectworlds Online Time Table Generator 1.0 and classified as critical. This vulnerability affects unknown code of the file /semester_ajax.php. The manipulation of the argument ID leads to sql injection. The att... read CVE-2025-5003
    Published: May 20, 2025; 6:15:19 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-5008 - A vulnerability was found in projectworlds Online Time Table Generator 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_teacher.php. The manipulation of the argument e leads to sql inj... read CVE-2025-5008
    Published: May 20, 2025; 7:15:20 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-0498 - A vulnerability was found in Project Worlds Lawyer Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file searchLawyer.php. The manipulation of the argument experience leads ... read CVE-2024-0498
    Published: January 13, 2024; 1:15:44 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2024-0266 - A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scr... read CVE-2024-0266
    Published: January 07, 2024; 1:15:47 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-4931 - A vulnerability classified as critical was found in projectworlds Online Lawyer Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /user_registation.php. The manipulation of the argument email leads to sq... read CVE-2025-4931
    Published: May 19, 2025; 8:15:20 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-4706 - A vulnerability was found in projectworlds Online Examination System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /Procedure3b_yearwiseVisit.php. The manipulation of the argument Visit_year leads to sq... read CVE-2025-4706
    Published: May 15, 2025; 1:15:55 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2025-4739 - A vulnerability was found in projectworlds Hospital Database Management System 1.0. It has been classified as critical. This affects an unknown part of the file /medicines_info.php. The manipulation of the argument Med_ID leads to sql injection. I... read CVE-2025-4739
    Published: May 15, 2025; 11:15:22 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-53269 - Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.3... read CVE-2024-53269
    Published: December 18, 2024; 3:15:24 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-53262 - SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is ... read CVE-2024-53262
    Published: November 25, 2024; 3:15:10 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2024-53261 - SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-... read CVE-2024-53261
    Published: November 25, 2024; 3:15:10 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2024-52510 - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial sig... read CVE-2024-52510
    Published: November 15, 2024; 1:15:29 PM -0500

    V3.1: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024