U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
NOTICE UPDATED - April, 25th 2024

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

The letters N V D typed out in binary
New 2.0 APIs
Emphasis on APIs for web automation
Change Timeline
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2023-6837 - Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for fe... read CVE-2023-6837
    Published: December 15, 2023; 5:15:09 AM -0500

    V3.1: 8.2 HIGH

  • CVE-2022-48656 - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get() We should call of_node_put() for the reference returned by of_parse_phandle() in fail path or when it... read CVE-2022-48656
    Published: April 28, 2024; 9:15:07 AM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2022-48657 - In the Linux kernel, the following vulnerability has been resolved: arm64: topology: fix possible overflow in amu_fie_setup() cpufreq_get_hw_max_freq() returns max frequency in kHz as *unsigned int*, while freq_inv_set_max_ratio() gets passed th... read CVE-2022-48657
    Published: April 28, 2024; 9:15:07 AM -0400

    V3.1: 7.8 HIGH

  • CVE-2024-4671 - Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
    Published: May 14, 2024; 11:44:15 AM -0400

    V3.1: 9.6 CRITICAL

  • CVE-2024-4040 - A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gai... read CVE-2024-4040
    Published: April 22, 2024; 4:15:07 PM -0400

    V3.1: 10.0 CRITICAL

  • CVE-2024-3400 - A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to ... read CVE-2024-3400
    Published: April 12, 2024; 4:15:06 AM -0400

    V3.1: 10.0 CRITICAL

  • CVE-2024-3167 - The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for a... read CVE-2024-3167
    Published: April 09, 2024; 3:15:39 PM -0400

    V3.1: 6.4 MEDIUM

  • CVE-2024-3159 - Out of bounds memory access in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
    Published: April 06, 2024; 11:15:26 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-3158 - Use after free in Bookmarks in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Published: April 06, 2024; 11:15:26 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-3156 - Inappropriate implementation in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
    Published: April 06, 2024; 11:15:26 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-31497 - In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is ... read CVE-2024-31497
    Published: April 15, 2024; 4:15:11 PM -0400

    V3.1: 5.9 MEDIUM

  • CVE-2024-31353 - Insertion of Sensitive Information into Log File vulnerability in Tribulant Slideshow Gallery.This issue affects Slideshow Gallery: from n/a through 1.7.8.
    Published: April 10, 2024; 12:15:14 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-31302 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44.
    Published: April 10, 2024; 12:15:14 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-31138 - In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings
    Published: March 28, 2024; 11:15:47 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-31137 - In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration
    Published: March 28, 2024; 11:15:47 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-31135 - In JetBrains TeamCity before 2024.03 open redirect was possible on the login page
    Published: March 28, 2024; 11:15:47 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-3097 - The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthen... read CVE-2024-3097
    Published: April 09, 2024; 3:15:39 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-30621 - Tenda AX1803 v1.0.0.1 contains a stack overflow via the serverName parameter in the function fromAdvSetMacMtuWan.
    Published: April 02, 2024; 10:15:08 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-30620 - Tenda AX1803 v1.0.0.1 contains a stack overflow via the serviceName parameter in the function fromAdvSetMacMtuWan.
    Published: April 02, 2024; 10:15:08 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-30051 - Windows DWM Core Library Elevation of Privilege Vulnerability
    Published: May 14, 2024; 1:17:21 PM -0400

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated April 25, 2024