U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2019-25228 - An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external d... read CVE-2019-25228
    Published: December 18, 2025; 3:15:48 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2019-25229 - An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially... read CVE-2019-25229
    Published: December 18, 2025; 3:15:48 PM -0500

  • CVE-2020-36889 - A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administra... read CVE-2020-36889
    Published: December 18, 2025; 3:15:49 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2019-25230 - An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system informa... read CVE-2019-25230
    Published: December 18, 2025; 3:15:49 PM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2020-36890 - An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate securit... read CVE-2020-36890
    Published: December 18, 2025; 3:15:49 PM -0500

  • CVE-2020-36891 - A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated M... read CVE-2020-36891
    Published: December 18, 2025; 3:15:49 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2021-47711 - A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. This enables unauthorized database access and potential data manipulation by exploiting m... read CVE-2021-47711
    Published: December 18, 2025; 3:15:49 PM -0500

  • CVE-2021-47712 - A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix introduces an additional security layer to prevent hash value reuse and potential exploita... read CVE-2021-47712
    Published: December 18, 2025; 3:15:49 PM -0500

  • CVE-2023-53887 - Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code i... read CVE-2023-53887
    Published: December 15, 2025; 4:15:51 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53888 - Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and e... read CVE-2023-53888
    Published: December 15, 2025; 4:15:51 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2023-53918 - PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when ... read CVE-2023-53918
    Published: December 17, 2025; 6:15:50 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2023-53920 - PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute wh... read CVE-2023-53920
    Published: December 17, 2025; 6:15:50 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53919 - PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into the Freebox content exec... read CVE-2023-53919
    Published: December 17, 2025; 6:15:50 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53910 - WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wb... read CVE-2023-53910
    Published: December 17, 2025; 6:15:49 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53909 - WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags ... read CVE-2023-53909
    Published: December 17, 2025; 6:15:49 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53915 - Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags i... read CVE-2023-53915
    Published: December 17, 2025; 6:15:50 PM -0500

    V3.1: 4.6 MEDIUM

  • CVE-2023-53916 - Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected in... read CVE-2023-53916
    Published: December 17, 2025; 6:15:50 PM -0500

    V3.1: 4.6 MEDIUM

  • CVE-2023-53926 - PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpo... read CVE-2023-53926
    Published: December 17, 2025; 6:15:51 PM -0500

  • CVE-2023-53927 - PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that wi... read CVE-2023-53927
    Published: December 17, 2025; 6:15:52 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-34288 - Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and inc... read CVE-2025-34288
    Published: December 16, 2025; 6:15:44 PM -0500

    V3.1: 6.7 MEDIUM

Created September 20, 2022 , Updated August 27, 2024