U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-43565 - Windows Network Address Translation (NAT) Denial of Service Vulnerability
    Published: October 08, 2024; 2:15:23 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-27424 - Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136.
    Published: March 04, 2025; 9:15:39 AM -0500

  • CVE-2025-1942 - When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.
    Published: March 04, 2025; 9:15:39 AM -0500

  • CVE-2025-1941 - Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.
    Published: March 04, 2025; 9:15:39 AM -0500

  • CVE-2025-1932 - An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunder... read CVE-2025-1932
    Published: March 04, 2025; 9:15:38 AM -0500

  • CVE-2025-25769 - Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /controller/UserController.java.
    Published: February 21, 2025; 2:15:14 PM -0500

  • CVE-2025-25770 - Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /agency/AgencyUserController.java.
    Published: February 21, 2025; 2:15:14 PM -0500

  • CVE-2025-26622 - vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returni... read CVE-2025-26622
    Published: February 21, 2025; 5:15:13 PM -0500

  • CVE-2025-27104 - vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produce... read CVE-2025-27104
    Published: February 21, 2025; 5:15:13 PM -0500

  • CVE-2025-27105 - vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array... read CVE-2025-27105
    Published: February 21, 2025; 5:15:13 PM -0500

  • CVE-2025-25462 - A SQL Injection vulnerability was found in /admin/add-propertytype.php in PHPGurukul Land Record System Project in PHP v1.0 allows remote attackers to execute arbitrary code via the propertytype POST request parameter.
    Published: February 26, 2025; 11:15:16 AM -0500

  • CVE-2025-28011 - A SQL Injection was found in loginsystem/change-password.php in PHPGurukul User Registration & Login and User Management System v3.3 allows remote attackers to execute arbitrary code via the currentpassword POST request parameter.
    Published: March 13, 2025; 1:15:37 PM -0400

  • CVE-2025-1668 - The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for... read CVE-2025-1668
    Published: March 15, 2025; 12:15:21 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-1669 - The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'addNotify' action in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of suffic... read CVE-2025-1669
    Published: March 15, 2025; 12:15:21 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-1670 - The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficien... read CVE-2025-1670
    Published: March 15, 2025; 12:15:21 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-27103 - DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass for the patch for CVE-2024-55953 allows authenticated users to read and deserialize arbitrary files through the background JDBC connect... read CVE-2025-27103
    Published: March 13, 2025; 1:15:36 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-28015 - A HTML Injection vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. This vulnerability allows remote attackers to execute arbitrary HTML code via the fname, lname, a... read CVE-2025-28015
    Published: March 13, 2025; 12:15:27 PM -0400

  • CVE-2025-2163 - The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possible for ... read CVE-2025-2163
    Published: March 15, 2025; 12:15:22 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-29427 - Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in profile.php via the member_first and member_last parameters.
    Published: March 17, 2025; 3:15:27 PM -0400

  • CVE-2025-29411 - An arbitrary file upload vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
    Published: March 20, 2025; 11:15:46 AM -0400

Created September 20, 2022 , Updated August 27, 2024