U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-47162 - Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed dire... read CVE-2026-47162
    Published: June 11, 2026; 3:16:44 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-50645 - There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to ve... read CVE-2026-50645
    Published: June 12, 2026; 6:16:23 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-12014 - Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:53 PM -0400

  • CVE-2026-12015 - Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security seve... read CVE-2026-12015
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12016 - Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12017 - Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12019 - Heap buffer overflow in Codecs in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security se... read CVE-2026-12019
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12020 - Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12022 - Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12024 - Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-12027 - Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:55 PM -0400

  • CVE-2026-12018 - Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
    Published: June 11, 2026; 6:16:54 PM -0400

  • CVE-2026-9751 - The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
    Published: June 09, 2026; 7:17:04 PM -0400

  • CVE-2026-40988 - An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affect... read CVE-2026-40988
    Published: June 09, 2026; 8:16:49 PM -0400

  • CVE-2026-41003 - An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.... read CVE-2026-41003
    Published: June 09, 2026; 8:16:50 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-41694 - Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption ... read CVE-2026-41694
    Published: June 09, 2026; 8:16:50 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2025-66276 - QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later
    Published: June 09, 2026; 11:16:24 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-24717 - A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data... read CVE-2026-24717
    Published: June 10, 2026; 12:17:16 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2026-53819 - OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute uninten... read CVE-2026-53819
    Published: June 11, 2026; 5:16:24 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-53816 - OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send... read CVE-2026-53816
    Published: June 11, 2026; 5:16:23 PM -0400

    V3.1: 7.2 HIGH

Created September 20, 2022 , Updated August 27, 2024