U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-40248 - free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify... read CVE-2026-40248
    Published: April 16, 2026; 6:16:38 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-40907 - WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with stream... read CVE-2026-40907
    Published: April 21, 2026; 4:17:03 PM -0400

  • CVE-2026-40908 - WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (e... read CVE-2026-40908
    Published: April 21, 2026; 4:17:03 PM -0400

  • CVE-2026-26174 - Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Update Service allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:52 PM -0400

  • CVE-2026-26175 - Use of uninitialized resource in Windows Boot Manager allows an unauthorized attacker to bypass a security feature with a physical attack.
    Published: April 14, 2026; 2:16:52 PM -0400

  • CVE-2026-26176 - Heap-based buffer overflow in Windows Client Side Caching driver (csc.sys) allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:53 PM -0400

  • CVE-2026-40909 - WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST... read CVE-2026-40909
    Published: April 21, 2026; 4:17:03 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-34283 - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker ... read CVE-2026-34283
    Published: April 21, 2026; 5:16:32 PM -0400

  • CVE-2026-34284 - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unaut... read CVE-2026-34284
    Published: April 21, 2026; 5:16:32 PM -0400

  • CVE-2026-34291 - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network ac... read CVE-2026-34291
    Published: April 21, 2026; 5:16:33 PM -0400

  • CVE-2026-34292 - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network ... read CVE-2026-34292
    Published: April 21, 2026; 5:16:34 PM -0400

  • CVE-2026-26177 - Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:53 PM -0400

  • CVE-2026-26178 - Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:53 PM -0400

  • CVE-2026-26179 - Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:54 PM -0400

  • CVE-2026-35587 - Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The v... read CVE-2026-35587
    Published: April 20, 2026; 8:16:29 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-32311 - Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have contro... read CVE-2026-32311
    Published: April 20, 2026; 4:16:48 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-26180 - Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
    Published: April 14, 2026; 2:16:54 PM -0400

  • CVE-2026-35570 - OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allo... read CVE-2026-35570
    Published: April 20, 2026; 8:16:28 PM -0400

  • CVE-2026-39861 - Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such... read CVE-2026-39861
    Published: April 20, 2026; 9:16:06 PM -0400

    V3.1: 10.0 CRITICAL

  • CVE-2026-30924 - qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpag... read CVE-2026-30924
    Published: March 19, 2026; 5:17:09 PM -0400

    V3.1: 9.6 CRITICAL

Created September 20, 2022 , Updated August 27, 2024