U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-5222 - A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code exec... read CVE-2025-5222
    Published: May 27, 2025; 5:15:23 PM -0400

  • CVE-2023-31228 - Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions.
    Published: August 18, 2023; 9:15:09 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2025-54834 - OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.
    Published: July 31, 2025; 2:15:43 PM -0400

  • CVE-2025-54833 - OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
    Published: July 31, 2025; 2:15:43 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-54832 - OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.
    Published: July 31, 2025; 2:15:42 PM -0400

  • CVE-2023-53890 - Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potenti... read CVE-2023-53890
    Published: December 15, 2025; 4:15:52 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2023-53889 - Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command e... read CVE-2023-53889
    Published: December 15, 2025; 4:15:52 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2024-24115 - A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: February 08, 2024; 3:15:52 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-39760 - In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outs... read CVE-2025-39760
    Published: September 11, 2025; 1:15:39 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-39794 - In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy.
    Published: September 12, 2025; 12:15:33 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-39801 - In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic... read CVE-2025-39801
    Published: September 15, 2025; 9:15:35 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-39838 - In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes ... read CVE-2025-39838
    Published: September 19, 2025; 12:15:42 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2025-39866 - In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching.... read CVE-2025-39866
    Published: September 19, 2025; 12:15:45 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2025-39891 - In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out m... read CVE-2025-39891
    Published: October 01, 2025; 4:15:31 AM -0400

    V3.1: 7.1 HIGH

  • CVE-2025-57883 - Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may ... read CVE-2025-57883
    Published: December 12, 2025; 12:16:07 AM -0500

  • CVE-2025-58025 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider allows Stored XSS. This issue affects Master Slider: from n/a through 3.11.0.
    Published: September 22, 2025; 3:16:04 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-58234 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JoomSky JS Job Manager allows Stored XSS. This issue affects JS Job Manager: from n/a through 2.0.2.
    Published: September 22, 2025; 3:16:08 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2025-58576 - Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operat... read CVE-2025-58576
    Published: December 12, 2025; 12:16:07 AM -0500

  • CVE-2025-56425 - An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of e... read CVE-2025-56425
    Published: January 08, 2026; 12:15:47 PM -0500

  • CVE-2025-56225 - fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file.
    Published: January 09, 2026; 11:16:06 AM -0500

Created September 20, 2022 , Updated August 27, 2024