U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-33631 - ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting... read CVE-2026-33631
    Published: March 26, 2026; 4:16:16 PM -0400

  • CVE-2026-33340 - LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/... read CVE-2026-33340
    Published: March 24, 2026; 1:16:44 PM -0400

  • CVE-2026-33849 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:22 AM -0400

  • CVE-2026-33848 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:21 AM -0400

  • CVE-2026-33847 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:21 AM -0400

  • CVE-2026-33392 - In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
    Published: April 17, 2026; 4:16:17 AM -0400

  • CVE-2026-40160 - PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an... read CVE-2026-40160
    Published: April 10, 2026; 1:17:13 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-30624 - Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These va... read CVE-2026-30624
    Published: April 15, 2026; 12:16:36 PM -0400

  • CVE-2026-30461 - Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
    Published: April 15, 2026; 12:16:36 PM -0400

  • CVE-2025-12141 - In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", whic... read CVE-2025-12141
    Published: April 15, 2026; 12:16:33 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-41118 - Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could ex... read CVE-2025-41118
    Published: April 15, 2026; 4:16:32 PM -0400

  • CVE-2026-21726 - The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararaj... read CVE-2026-21726
    Published: April 15, 2026; 4:16:34 PM -0400

  • CVE-2026-21727 - --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low... read CVE-2026-21727
    Published: April 15, 2026; 4:16:34 PM -0400

  • CVE-2026-33756 - Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit... read CVE-2026-33756
    Published: April 08, 2026; 2:26:00 PM -0400

  • CVE-2026-35401 - Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resour... read CVE-2026-35401
    Published: April 08, 2026; 3:25:23 PM -0400

  • CVE-2026-39851 - Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23... read CVE-2026-39851
    Published: April 08, 2026; 3:25:26 PM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2026-40156 - PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_... read CVE-2026-40156
    Published: April 10, 2026; 1:17:13 PM -0400

  • CVE-2026-34727 - Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enr... read CVE-2026-34727
    Published: April 10, 2026; 12:16:31 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-40153 - PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion de... read CVE-2026-40153
    Published: April 09, 2026; 6:16:36 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-40962 - FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.
    Published: April 15, 2026; 10:16:12 PM -0400

    V3.1: 9.8 CRITICAL

Created September 20, 2022 , Updated August 27, 2024