U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-32945 - PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS reso... read CVE-2026-32945
    Published: March 20, 2026; 12:16:49 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-32942 - PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the c... read CVE-2026-32942
    Published: March 20, 2026; 12:16:49 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33143 - OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Sig... read CVE-2026-33143
    Published: March 20, 2026; 5:17:14 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33142 - OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not... read CVE-2026-33142
    Published: March 20, 2026; 5:17:14 PM -0400

  • CVE-2026-27935 - Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do ... read CVE-2026-27935
    Published: March 19, 2026; 6:16:30 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-27936 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Ve... read CVE-2026-27936
    Published: March 19, 2026; 6:16:31 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2026-28282 - Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any ... read CVE-2026-28282
    Published: March 19, 2026; 6:16:31 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-29072 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right co... read CVE-2026-29072
    Published: March 19, 2026; 6:16:31 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33165 - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS chang... read CVE-2026-33165
    Published: March 20, 2026; 5:17:16 PM -0400

    V3.1: 5.0 MEDIUM

  • CVE-2026-33164 - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.
    Published: March 20, 2026; 5:17:16 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33550 - SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).
    Published: March 21, 2026; 11:16:01 PM -0400

    V3.1: 2.6 LOW

  • CVE-2019-25596 - SpotAuditor 5.2.6 contains a denial of service vulnerability in the registration dialog that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 repeated ch... read CVE-2019-25596
    Published: March 22, 2026; 10:16:26 AM -0400

    V3.1: 6.2 MEDIUM

  • CVE-2025-71276 - SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
    Published: March 21, 2026; 11:16:00 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2026-32895 - OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by... read CVE-2026-32895
    Published: March 20, 2026; 9:17:10 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-32896 - OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook... read CVE-2026-32896
    Published: March 20, 2026; 9:17:10 PM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2019-25614 - Free Float FTP 1.0 contains a buffer overflow vulnerability in the STOR command handler that allows remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload. Attackers can authenticate with anonymous c... read CVE-2019-25614
    Published: March 22, 2026; 10:16:29 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-32954 - ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing att... read CVE-2026-32954
    Published: March 20, 2026; 1:16:14 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-33237 - WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValid... read CVE-2026-33237
    Published: March 20, 2026; 8:16:26 PM -0400

  • CVE-2026-32752 - FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that allows any authenticated user (regardless of role... read CVE-2026-32752
    Published: March 19, 2026; 6:16:41 PM -0400

    V3.1: 8.1 HIGH

  • CVE-2026-33238 - WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated u... read CVE-2026-33238
    Published: March 20, 2026; 8:16:26 PM -0400

Created September 20, 2022 , Updated August 27, 2024