U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-22597 - Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API ... read CVE-2026-22597
    Published: January 09, 2026; 10:15:50 PM -0500

    V3.1: 2.7 LOW

  • CVE-2026-22596 - Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execut... read CVE-2026-22596
    Published: January 09, 2026; 10:15:50 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-22595 - Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be ac... read CVE-2026-22595
    Published: January 09, 2026; 10:15:50 PM -0500

  • CVE-2025-63212 - GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker ... read CVE-2025-63212
    Published: November 19, 2025; 3:15:53 PM -0500

  • CVE-2026-20923 - Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
    Published: January 13, 2026; 1:16:18 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2026-22594 - Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
    Published: January 09, 2026; 10:15:50 PM -0500

  • CVE-2025-65089 - XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macr... read CVE-2025-65089
    Published: November 19, 2025; 1:15:51 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2025-65026 - esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS ... read CVE-2025-65026
    Published: November 19, 2025; 1:15:50 PM -0500

    V3.1: 9.6 CRITICAL

  • CVE-2025-65025 - esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package contain... read CVE-2025-65025
    Published: November 19, 2025; 1:15:49 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2026-21874 - NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are... read CVE-2026-21874
    Published: January 08, 2026; 5:15:55 AM -0500

  • CVE-2026-21873 - NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite bei... read CVE-2026-21873
    Published: January 08, 2026; 5:15:55 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2026-21872 - NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively click... read CVE-2026-21872
    Published: January 08, 2026; 5:15:55 AM -0500

  • CVE-2026-21871 - NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented a... read CVE-2026-21871
    Published: January 08, 2026; 5:15:55 AM -0500

  • CVE-2026-0701 - A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql inj... read CVE-2026-0701
    Published: January 08, 2026; 3:15:45 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-14405 - PDFsam Enhanced Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows phyiscally-present attackers to escalate privileges on affected installations of PDFsam Enhanced. An attacker must first obtain th... read CVE-2025-14405
    Published: December 23, 2025; 5:15:47 PM -0500

    V3.1: 6.8 MEDIUM

  • CVE-2025-68962 - Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.
    Published: January 13, 2026; 10:15:50 PM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2025-68961 - Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability.
    Published: January 13, 2026; 10:15:50 PM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2025-68960 - Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability.
    Published: January 13, 2026; 10:15:50 PM -0500

    V3.1: 4.7 MEDIUM

  • CVE-2025-68959 - Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
    Published: January 13, 2026; 10:15:50 PM -0500

    V3.1: 5.5 MEDIUM

  • CVE-2025-68958 - Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability.
    Published: January 13, 2026; 10:15:50 PM -0500

    V3.1: 4.7 MEDIUM

Created September 20, 2022 , Updated August 27, 2024