U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-0545 - In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution i... read CVE-2026-0545
    Published: April 03, 2026; 2:16:21 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-25043 - Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Pa... read CVE-2026-25043
    Published: April 03, 2026; 12:16:35 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2025-68153 - Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authentic... read CVE-2025-68153
    Published: April 03, 2026; 12:16:23 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-68152 - Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possibl... read CVE-2025-68152
    Published: April 03, 2026; 12:16:23 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2025-64340 - FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install ge... read CVE-2025-64340
    Published: April 03, 2026; 12:16:23 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-34717 - OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue h... read CVE-2026-34717
    Published: April 02, 2026; 2:16:33 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-32762 - Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. B... read CVE-2026-32762
    Published: April 02, 2026; 2:16:27 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-26962 - Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded ... read CVE-2026-26962
    Published: April 02, 2026; 2:16:26 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-25212 - An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute ... read CVE-2026-25212
    Published: April 02, 2026; 1:16:21 PM -0400

  • CVE-2026-2737 - A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
    Published: April 02, 2026; 10:16:28 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-2701 - Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
    Published: April 02, 2026; 10:16:27 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-2699 - Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
    Published: April 02, 2026; 10:16:27 AM -0400

  • CVE-2026-35000 - ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and simi... read CVE-2026-35000
    Published: April 01, 2026; 3:16:33 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-33978 - Notesnook is a note-taking app focused on user privacy & ease of use. Prior to version 3.3.17, a stored XSS vulnerability exists in the mobile share / web clip flow because attacker-controlled clip metadata is concatenated into HTML without escapi... read CVE-2026-33978
    Published: April 01, 2026; 1:28:39 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-4374 - Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Seri... read CVE-2026-4374
    Published: March 31, 2026; 10:16:03 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-33631 - ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting... read CVE-2026-33631
    Published: March 26, 2026; 4:16:16 PM -0400

  • CVE-2026-33340 - LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/... read CVE-2026-33340
    Published: March 24, 2026; 1:16:44 PM -0400

  • CVE-2026-33849 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:22 AM -0400

  • CVE-2026-33848 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:21 AM -0400

  • CVE-2026-33847 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
    Published: March 24, 2026; 2:16:21 AM -0400

Created September 20, 2022 , Updated August 27, 2024