U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-58322 - NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by invoking arbitrary DLLs due to improper privilege checks.
    Published: August 28, 2025; 4:15:30 AM -0400

  • CVE-2025-51967 - A Reflected Cross-site Scripting (XSS) vulnerability exists in the themeSet.php file of ProjectsAndPrograms School Management System 1.0. The application fails to sanitize user-supplied input in the theme POST parameter, allowing an attacker to in... read CVE-2025-51967
    Published: August 28, 2025; 10:15:47 AM -0400

  • CVE-2025-51968 - A SQL Injection vulnerability exists in the action.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The application fails to properly sanitize user-supplied input in the proId POST parameter, allowing attackers to inject arbitrary S... read CVE-2025-51968
    Published: August 28, 2025; 10:15:47 AM -0400

  • CVE-2025-51969 - A SQL Injection vulnerability exists in the product.php page of PuneethReddyHC Online Shopping System Advanced 1.0. This flaw is present in the product_id GET parameter, which is not properly validated before being included in a SQL statement.
    Published: August 28, 2025; 10:15:48 AM -0400

  • CVE-2025-51971 - A reflected Cross-Site Scripting (XSS) vulnerability exists in register.php of PuneethReddyHC Online Shopping System Advanced 1.0. Unsanitized user input in the f_name parameter is reflected in the server response without proper HTML encoding or o... read CVE-2025-51971
    Published: August 28, 2025; 10:15:49 AM -0400

  • CVE-2025-51972 - A SQL Injection vulnerability exists in the login.php of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter.
    Published: August 28, 2025; 10:15:50 AM -0400

  • CVE-2025-52054 - An issue was discovered in Tenda AC8 v4.0 AC1200 Dual-band Gigabit Wireless Router AC8v4.0 Firmware 16.03.33.05. The root password of the device is calculated with a static string and the last two octets of the MAC address of the device. This allo... read CVE-2025-52054
    Published: August 28, 2025; 11:16:00 AM -0400

  • CVE-2025-55583 - D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to syst... read CVE-2025-55583
    Published: August 28, 2025; 11:16:02 AM -0400

  • CVE-2025-56236 - FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user acces... read CVE-2025-56236
    Published: August 28, 2025; 11:16:02 AM -0400

  • CVE-2024-13986 - Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and exte... read CVE-2024-13986
    Published: August 28, 2025; 12:15:32 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-29364 - spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow in the READ_SYSCALL and WRITE_SYSCALL system calls. The application verifies the legitimacy of the starting and ending addresses for memory read/write operations. By configurin... read CVE-2025-29364
    Published: August 28, 2025; 12:15:34 PM -0400

  • CVE-2025-51643 - Meitrack T366G-L GPS Tracker devices contain an SPI flash chip (Winbond 25Q64JVSIQ) that is accessible without authentication or tamper protection. An attacker with physical access to the device can use a standard SPI programmer to extract the fir... read CVE-2025-51643
    Published: August 28, 2025; 12:15:35 PM -0400

  • CVE-2025-56760 - When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
    Published: September 03, 2025; 1:15:34 PM -0400

  • CVE-2025-56761 - Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use... read CVE-2025-56761
    Published: September 03, 2025; 1:15:34 PM -0400

  • CVE-2025-20280 - A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against u... read CVE-2025-20280
    Published: September 03, 2025; 2:15:33 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-20270 - A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. Thi... read CVE-2025-20270
    Published: September 03, 2025; 2:15:32 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-20287 - A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper vali... read CVE-2025-20287
    Published: September 03, 2025; 2:15:33 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-20291 - A vulnerability in Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to redirect a targeted Webex Meetings user to an untrusted website. Cisco has addressed this vulnerability in the Cisco Webex Meetings service, and no c... read CVE-2025-20291
    Published: September 03, 2025; 2:15:33 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-10065 - A weakness has been identified in itsourcecode POS Point of Sale System 1.0. Impacted is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php. This manipulation of the argument scripts causes cr... read CVE-2025-10065
    Published: September 06, 2025; 9:15:31 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2025-10066 - A security vulnerability has been detected in itsourcecode POS Point of Sale System 1.0. The affected element is an unknown function of the file /inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php. Such manipulation of the ... read CVE-2025-10066
    Published: September 06, 2025; 9:15:32 PM -0400

    V3.1: 6.1 MEDIUM

Created September 20, 2022 , Updated August 27, 2024