U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-25063 - An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links a... read CVE-2025-25063
    Published: February 02, 2025; 11:15:09 PM -0500

  • CVE-2024-39526 - An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS on MX Series with MPC10/MPC11/LC9600 line cards, EX9200 with EX9200-15C lines cards, MX304 devices, and Juniper Networks Junos OS Evolve... read CVE-2024-39526
    Published: October 11, 2024; 12:15:06 PM -0400

  • CVE-2024-39527 - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the command-line interface (CLI) of Juniper Networks Junos OS on SRX Series devices allows a local, low-privileged user with access to the Junos CLI to view the content... read CVE-2024-39527
    Published: October 11, 2024; 12:15:06 PM -0400

  • CVE-2024-39534 - An Incorrect Comparison vulnerability in the local address verification API of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker to create sessions or send traffic to the device using the network and broadcast a... read CVE-2024-39534
    Published: October 11, 2024; 12:15:06 PM -0400

  • CVE-2024-39544 - An Incorrect Default Permissions vulnerability in the command line interface (CLI) of Juniper Networks Junos OS Evolved allows a low privileged local attacker to view NETCONF traceoptions files, representing an exposure of sensitive information. ... read CVE-2024-39544
    Published: October 11, 2024; 12:15:07 PM -0400

  • CVE-2026-21921 - A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are ... read CVE-2026-21921
    Published: January 15, 2026; 4:16:08 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-21920 - An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, r... read CVE-2026-21920
    Published: January 15, 2026; 4:16:08 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2026-23527 - H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explici... read CVE-2026-23527
    Published: January 15, 2026; 3:16:05 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-25062 - An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML a... read CVE-2025-25062
    Published: February 02, 2025; 11:15:09 PM -0500

  • CVE-2026-22918 - An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.
    Published: January 15, 2026; 8:16:06 AM -0500

    V3.1: 8.2 HIGH

  • CVE-2025-31125 - Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are af... read CVE-2025-31125
    Published: March 31, 2025; 1:15:43 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-68645 - A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker ... read CVE-2025-68645
    Published: December 22, 2025; 1:16:17 PM -0500

  • CVE-2025-34026 - The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for acc... read CVE-2025-34026
    Published: May 21, 2025; 6:15:50 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-22919 - An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.
    Published: January 15, 2026; 8:16:06 AM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2025-59980 - An Authentication Bypass by Primary Weakness in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device. When the FTP server is enabled and a user named... read CVE-2025-59980
    Published: October 09, 2025; 1:15:59 PM -0400

  • CVE-2025-59975 - An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leadi... read CVE-2025-59975
    Published: October 09, 2025; 12:15:47 PM -0400

  • CVE-2025-59967 - A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 devices allows an unauthenticated, adjacent attacker to cause... read CVE-2025-59967
    Published: October 09, 2025; 12:15:46 PM -0400

  • CVE-2026-22920 - The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks.
    Published: January 15, 2026; 8:16:07 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-59964 - A Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700 devices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When forwarding-options samp... read CVE-2025-59964
    Published: October 09, 2025; 12:15:46 PM -0400

  • CVE-2025-59962 - An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside... read CVE-2025-59962
    Published: October 09, 2025; 12:15:46 PM -0400

Created September 20, 2022 , Updated August 27, 2024