U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-3546 - A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is the function FCGI_CheckStringIfContainsSemicolon of the fil... read CVE-2025-3546
    Published: April 13, 2025; 10:15:13 PM -0400

  • CVE-2021-37914 - In Argo Workflows through 3.1.3, if EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated.
    Published: August 02, 2021; 8:15:08 PM -0400

    V3.1: 6.5 MEDIUM
     V2.0: 5.8 MEDIUM

  • CVE-2025-13444 - OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized inpu... read CVE-2025-13444
    Published: January 13, 2026; 10:15:57 AM -0500

    V3.1: 6.8 MEDIUM

  • CVE-2026-1701 - A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to ... read CVE-2026-1701
    Published: January 30, 2026; 1:15:59 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2023-47240 - Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap plugin <= 1.1.11 versions.
    Published: November 16, 2023; 2:15:07 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2026-22549 - A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: February 04, 2026; 11:16:19 AM -0500

    V3.1: 4.9 MEDIUM

  • CVE-2026-22548 - When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate.  Note: Software versions which have reached End of... read CVE-2026-22548
    Published: February 04, 2026; 10:16:14 AM -0500

    V3.1: 5.9 MEDIUM

  • CVE-2026-20732 - A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    Published: February 04, 2026; 10:16:14 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2023-1346 - The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_page_cache function. This makes it p... read CVE-2023-1346
    Published: March 10, 2023; 3:15:11 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2023-1333 - The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authentic... read CVE-2023-1333
    Published: March 10, 2023; 3:15:10 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2026-20615 - A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, visionOS 26.3. An app may be able to gain root privileges.
    Published: February 11, 2026; 6:16:05 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-26021 - set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution b... read CVE-2026-26021
    Published: February 11, 2026; 5:15:52 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-26012 - vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The end... read CVE-2026-26012
    Published: February 11, 2026; 5:15:51 PM -0500

  • CVE-2024-50619 - Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with th... read CVE-2024-50619
    Published: February 11, 2026; 5:15:50 PM -0500

  • CVE-2024-50617 - Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in t... read CVE-2024-50617
    Published: February 11, 2026; 5:15:49 PM -0500

  • CVE-2026-26014 - Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication ke... read CVE-2026-26014
    Published: February 11, 2026; 4:16:21 PM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2025-32709 - Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
    Published: May 13, 2025; 1:16:04 PM -0400

  • CVE-2026-20045 - A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P), Cisco Uni... read CVE-2026-20045
    Published: January 21, 2026; 12:16:08 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-20730 - A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
    Published: February 04, 2026; 10:16:14 AM -0500

    V3.1: 3.3 LOW

  • CVE-2026-1642 - A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attac... read CVE-2026-1642
    Published: February 04, 2026; 10:16:14 AM -0500

Created September 20, 2022 , Updated August 27, 2024