U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-49310 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themesflat Themesflat Addons For Elementor allows Stored XSS.This issue affects Themesflat Addons For Elementor: from n/a through 2.2.0.
    Published: October 17, 2024; 3:15:24 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-41785 - IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to ... read CVE-2024-41785
    Published: November 15, 2024; 10:15:07 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2024-43189 - IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive infor... read CVE-2024-43189
    Published: November 15, 2024; 10:15:07 AM -0500

    V3.1: 5.9 MEDIUM

  • CVE-2024-11650 - A vulnerability was found in Tenda i9 1.0.0.8(3828) and classified as critical. This issue affects the function websReadEvent of the file /goform/GetIPTV. The manipulation leads to null pointer dereference. The attack may be initiated remotely. Th... read CVE-2024-11650
    Published: November 24, 2024; 10:15:06 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-53028 - Memory corruption may occur while processing message from frontend during allocation.
    Published: March 03, 2025; 6:15:14 AM -0500

    V3.1: 7.0 HIGH

  • CVE-2024-43055 - Memory corruption while processing camera use case IOCTL call.
    Published: March 03, 2025; 6:15:11 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2024-12584 - The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6.2 via the 'duplicate' function. This makes it possible for authenticated attackers... read CVE-2024-12584
    Published: January 08, 2025; 2:15:26 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-38316 - IBM Aspera Shares 1.9.0 through 1.10.0 PL6 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service.
    Published: February 05, 2025; 6:15:08 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-56473 - IBM Aspera Shares 1.9.0 through 1.10.0 PL6 could allow an attacker to spoof their IP address, which is written to log files, due to improper verification of 'Client-IP' headers.
    Published: February 05, 2025; 6:15:10 PM -0500

  • CVE-2024-13796 - The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.6 via the /wp-json/post-grid/v2/get_users REST API This makes it possible for unauthent... read CVE-2024-13796
    Published: February 28, 2025; 12:15:32 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2025-0801 - The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for un... read CVE-2025-0801
    Published: February 28, 2025; 12:15:33 AM -0500

    V3.1: 4.3 MEDIUM

  • CVE-2025-1505 - The Advanced AJAX Product Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.6.8.1 due to insufficient input sanitization and output escaping. This makes i... read CVE-2025-1505
    Published: February 28, 2025; 12:15:33 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2024-45195 - Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
    Published: September 04, 2024; 5:15:04 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2020-1956 - Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
    Published: May 22, 2020; 10:15:11 AM -0400

    V3.1: 8.8 HIGH
     V2.0: 9.0 HIGH

  • CVE-2018-7841 - A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.
    Published: May 22, 2019; 4:29:01 PM -0400

    V3.1: 9.8 CRITICAL
     V2.0: 7.5 HIGH

  • CVE-2025-1757 - The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes in all versions up to, and including, 1.1.7 due to ... read CVE-2025-1757
    Published: February 28, 2025; 12:15:34 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2018-17480 - Execution of user supplied Javascript during array deserialization leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
    Published: December 11, 2018; 11:29:00 AM -0500

    V3.1: 8.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2017-9805 - The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializin... read CVE-2017-9805
    Published: September 15, 2017; 3:29:00 PM -0400

    V3.1: 8.1 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2016-1646 - The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or... read CVE-2016-1646
    Published: March 29, 2016; 6:59:00 AM -0400

    V3.1: 8.8 HIGH
     V2.0: 9.3 HIGH

  • CVE-2015-4852 - The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_c... read CVE-2015-4852
    Published: November 18, 2015; 10:59:00 AM -0500

    V3.1: 9.8 CRITICAL
     V2.0: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024