U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-10172 - A flaw has been found in UTT 750W up to 3.2.2-191225. This issue affects some unknown processing of the file /goform/formPictureUrl. Executing manipulation of the argument importpictureurl can lead to buffer overflow. The attack can be executed re... read CVE-2025-10172
    Published: September 09, 2025; 7:15:29 PM -0400

  • CVE-2025-66407 - Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, p... read CVE-2025-66407
    Published: December 15, 2025; 7:16:02 PM -0500

    V3.1: 5.0 MEDIUM

  • CVE-2026-0699 - A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remot... read CVE-2026-0699
    Published: January 08, 2026; 2:15:49 AM -0500

    V3.1: 7.2 HIGH

  • CVE-2026-0700 - A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The at... read CVE-2026-0700
    Published: January 08, 2026; 2:15:49 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-62004 - BullWall Server Intrusion Protection services are initialized after login services. An authenticated attacker with administrative permissions can log in after boot and bypass MFA. SIP service does not retroactively enforce the challenge or disconn... read CVE-2025-62004
    Published: December 18, 2025; 4:15:54 PM -0500

  • CVE-2025-62003 - BullWall Server Intrusion Protection has a noticeable delay before the MFA check when connecting via RDP. A remote authenticated attacker with administrative privileges can potentially bypass detection during this window. Versions 4.6.0.0, 4.6.0.6... read CVE-2025-62003
    Published: December 18, 2025; 4:15:54 PM -0500

  • CVE-2025-56424 - An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script
    Published: January 08, 2026; 12:15:47 PM -0500

  • CVE-2025-62002 - BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were... read CVE-2025-62002
    Published: December 18, 2025; 4:15:54 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2025-62001 - BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 we... read CVE-2025-62001
    Published: December 18, 2025; 4:15:53 PM -0500

  • CVE-2026-21891 - ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate th... read CVE-2026-21891
    Published: January 08, 2026; 9:15:57 AM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2025-62000 - BullWall Ransomware Containment does not entirely inspect a file to determine if it is ransomware. An authenticated attacker could bypass detection by encrypting a file and leaving the first four bytes unaltered. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7... read CVE-2025-62000
    Published: December 18, 2025; 4:15:53 PM -0500

  • CVE-2025-1885 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025.
    Published: December 19, 2025; 7:15:45 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-1927 - Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.
    Published: December 19, 2025; 7:15:45 AM -0500

    V3.1: 7.1 HIGH

  • CVE-2025-1928 - Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025.
    Published: December 19, 2025; 8:16:03 AM -0500

    V3.1: 9.1 CRITICAL

  • CVE-2025-14910 - A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be... read CVE-2025-14910
    Published: December 18, 2025; 9:16:04 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2026-21885 - Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to... read CVE-2026-21885
    Published: January 08, 2026; 9:15:57 AM -0500

  • CVE-2025-35010 - Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNPINGTM command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutra... read CVE-2025-35010
    Published: June 08, 2025; 5:15:32 PM -0400

  • CVE-2025-35009 - Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MNNETSP command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutral... read CVE-2025-35009
    Published: June 08, 2025; 5:15:32 PM -0400

  • CVE-2025-35008 - Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutrali... read CVE-2025-35008
    Published: June 08, 2025; 5:15:32 PM -0400

  • CVE-2025-35007 - Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MFRULE command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutrali... read CVE-2025-35007
    Published: June 08, 2025; 5:15:32 PM -0400

Created September 20, 2022 , Updated August 27, 2024