U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-25089 - A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 thro... read CVE-2026-25089
    Published: June 09, 2026; 12:16:39 PM -0400

  • CVE-2026-49938 - A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>
    Published: June 09, 2026; 12:16:43 PM -0400

  • CVE-2025-67862 - An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 al... read CVE-2025-67862
    Published: June 09, 2026; 12:16:35 PM -0400

  • CVE-2025-71263 - In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running ... read CVE-2025-71263
    Published: March 13, 2026; 3:53:53 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-58350 - Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loo... read CVE-2024-58350
    Published: June 10, 2026; 10:16:28 AM -0400

    V3.1: 4.0 MEDIUM

  • CVE-2026-42916 - Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
    Published: June 09, 2026; 1:17:11 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-42968 - Out-of-bounds read in Windows Telephony Service allows an authorized attacker to disclose information locally.
    Published: June 09, 2026; 1:17:12 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-42969 - Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
    Published: June 09, 2026; 1:17:12 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-42970 - Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
    Published: June 09, 2026; 1:17:12 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-42971 - Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.
    Published: June 09, 2026; 1:17:12 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-52755 - Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in fil... read CVE-2026-52755
    Published: June 10, 2026; 10:16:35 AM -0400

  • CVE-2026-52754 - Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting their public certificate with a null sign... read CVE-2026-52754
    Published: June 10, 2026; 10:16:35 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-52753 - Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers without size limits. Attackers can craft malicious Rust symbol names in binaries to trigger exponential memory alloc... read CVE-2026-52753
    Published: June 10, 2026; 10:16:35 AM -0400

  • CVE-2026-42915 - Incorrect calculation of buffer size in Windows TCP/IP allows an authorized attacker to deny service over an adjacent network.
    Published: June 09, 2026; 1:17:11 PM -0400

    V3.1: 5.7 MEDIUM

  • CVE-2026-52752 - Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbi... read CVE-2026-52752
    Published: June 10, 2026; 10:16:35 AM -0400

  • CVE-2026-52751 - Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when o... read CVE-2026-52751
    Published: June 10, 2026; 10:16:35 AM -0400

  • CVE-2026-42914 - Windows Kerberos Denial of Service Vulnerability
    Published: June 09, 2026; 1:17:11 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2026-52750 - Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding mal... read CVE-2026-52750
    Published: June 10, 2026; 10:16:35 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-49498 - Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject S... read CVE-2026-49498
    Published: June 10, 2026; 10:16:34 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-49497 - Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with travers... read CVE-2026-49497
    Published: June 10, 2026; 10:16:34 AM -0400

    V3.1: 3.3 LOW

Created September 20, 2022 , Updated August 27, 2024