U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-3837 - An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into ra... read CVE-2026-3837
    Published: April 22, 2026; 5:17:08 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-41134 - Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappin... read CVE-2026-41134
    Published: April 22, 2026; 5:17:09 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-43290 - In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warn... read CVE-2026-43290
    Published: May 08, 2026; 10:16:36 AM -0400

  • CVE-2026-43291 - In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is... read CVE-2026-43291
    Published: May 08, 2026; 10:16:36 AM -0400

  • CVE-2026-30900 - Improper Check of minimum version in update functionality of certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access.
    Published: March 11, 2026; 11:16:29 AM -0400

  • CVE-2026-43292 - In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwind... read CVE-2026-43292
    Published: May 08, 2026; 10:16:36 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-30901 - Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access.
    Published: March 11, 2026; 11:16:29 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-30902 - Improper Privilege Management in certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access.
    Published: March 11, 2026; 11:16:30 AM -0400

  • CVE-2025-15633 - An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotect... read CVE-2025-15633
    Published: May 09, 2026; 2:16:07 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-15634 - A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
    Published: May 09, 2026; 2:16:09 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-42311 - Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version... read CVE-2026-42311
    Published: May 09, 2026; 2:16:10 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-30903 - External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access.
    Published: March 11, 2026; 11:16:30 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-29516 - Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. ... read CVE-2026-29516
    Published: March 16, 2026; 4:16:18 PM -0400

  • CVE-2026-32889 - tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side... read CVE-2026-32889
    Published: March 19, 2026; 11:15:59 PM -0400

  • CVE-2026-44426 - ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key,... read CVE-2026-44426
    Published: May 13, 2026; 6:16:44 PM -0400

  • CVE-2026-44440 - ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on an endpoint allows an authenticated adjacent att... read CVE-2026-44440
    Published: May 13, 2026; 6:16:45 PM -0400

    V3.1: 5.7 MEDIUM

  • CVE-2026-44441 - ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice.... read CVE-2026-44441
    Published: May 13, 2026; 6:16:45 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-34071 - Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with ... read CVE-2026-34071
    Published: March 26, 2026; 1:16:41 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-44442 - ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.
    Published: May 13, 2026; 6:16:45 PM -0400

  • CVE-2026-44445 - ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enables an authenticated attacker to read files from... read CVE-2026-44445
    Published: May 13, 2026; 6:16:45 PM -0400

    V3.1: 6.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024