U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-26170 - Improper input validation in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:51 PM -0400

  • CVE-2026-26172 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:51 PM -0400

  • CVE-2026-26173 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:52 PM -0400

  • CVE-2026-34067 - nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(... read CVE-2026-34067
    Published: April 22, 2026; 5:17:07 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34066 - nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macr... read CVE-2026-34066
    Published: April 22, 2026; 4:16:41 PM -0400

  • CVE-2026-34065 - nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` se... read CVE-2026-34065
    Published: April 22, 2026; 4:16:41 PM -0400

  • CVE-2026-34064 - nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error ... read CVE-2026-34064
    Published: April 22, 2026; 4:16:40 PM -0400

    V3.1: 8.2 HIGH

  • CVE-2026-34063 - Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discove... read CVE-2026-34063
    Published: April 22, 2026; 4:16:40 PM -0400

  • CVE-2026-34062 - nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substr... read CVE-2026-34062
    Published: April 22, 2026; 4:16:40 PM -0400

  • CVE-2026-33471 - nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot... read CVE-2026-33471
    Published: April 22, 2026; 4:16:40 PM -0400

  • CVE-2026-32605 - nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message ... read CVE-2026-32605
    Published: April 13, 2026; 4:16:33 PM -0400

  • CVE-2026-40093 - nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_T... read CVE-2026-40093
    Published: April 09, 2026; 5:16:11 PM -0400

  • CVE-2026-34069 - nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to pani... read CVE-2026-34069
    Published: April 13, 2026; 8:16:07 PM -0400

  • CVE-2026-34068 - nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_kn... read CVE-2026-34068
    Published: April 22, 2026; 5:17:08 PM -0400

  • CVE-2026-40070 - BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In ac... read CVE-2026-40070
    Published: April 09, 2026; 2:17:03 PM -0400

  • CVE-2026-40477 - Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to preve... read CVE-2026-40477
    Published: April 17, 2026; 6:16:33 PM -0400

  • CVE-2026-40478 - Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to p... read CVE-2026-40478
    Published: April 17, 2026; 6:16:33 PM -0400

  • CVE-2026-40481 - monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can se... read CVE-2026-40481
    Published: April 17, 2026; 7:16:12 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-40347 - Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or... read CVE-2026-40347
    Published: April 17, 2026; 8:16:38 PM -0400

  • CVE-2026-22683 - Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented a... read CVE-2026-22683
    Published: April 07, 2026; 1:16:27 PM -0400

    V3.1: 8.8 HIGH

Created September 20, 2022 , Updated August 27, 2024