U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2025-13185 - A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The at... read CVE-2025-13185
    Published: November 14, 2025; 4:15:44 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2025-13186 - A weakness has been identified in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution up to 4.0. This impacts an unknown function of the file /dashboard/Ccustomer/manage_customer. This manipulation of the argument Search causes c... read CVE-2025-13186
    Published: November 14, 2025; 5:15:45 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-13238 - A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The at... read CVE-2025-13238
    Published: November 16, 2025; 1:15:42 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2025-12223 - A vulnerability was detected in Bdtask Flight Booking Software up to 3.1. This affects an unknown part of the file /b2c/package-information of the component Package Information Module. The manipulation results in unrestricted upload. The attack ca... read CVE-2025-12223
    Published: October 27, 2025; 1:15:38 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-12222 - A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestr... read CVE-2025-12222
    Published: October 27, 2025; 1:15:37 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2025-9804 - An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized ... read CVE-2025-9804
    Published: October 16, 2025; 9:15:42 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2025-10611 - Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this ... read CVE-2025-10611
    Published: October 16, 2025; 9:15:40 AM -0400

  • CVE-2025-5717 - An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw b... read CVE-2025-5717
    Published: September 23, 2025; 12:15:33 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2025-4760 - An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a c... read CVE-2025-4760
    Published: September 23, 2025; 11:15:31 AM -0400

  • CVE-2025-31987 - HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion.
    Published: August 14, 2025; 7:15:33 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2019-9674 - Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
    Published: February 04, 2020; 10:15:11 AM -0500

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2025-12905 - Inappropriate implementation in Downloads in Google Chrome on Windows prior to 140.0.7339.80 allowed a remote attacker to bypass Mark of the Web via a crafted HTML page. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12906 - Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12907 - Insufficient validation of untrusted input in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to execute arbitrary code via user action in Devtools. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12908 - Insufficient validation of untrusted input in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12909 - Insufficient policy enforcement in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to leak cross-origin data via Devtools. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12910 - Inappropriate implementation in Passkeys in Google Chrome prior to 140.0.7339.80 allowed a local attacker to obtain potentially sensitive information via debug logs. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-12911 - Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
    Published: November 07, 2025; 7:15:35 PM -0500

  • CVE-2025-41001 - Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/opti... read CVE-2025-41001
    Published: November 10, 2025; 5:15:35 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-47286 - Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the conf... read CVE-2025-47286
    Published: November 10, 2025; 2:15:57 PM -0500

    V3.1: 7.2 HIGH

Created September 20, 2022 , Updated August 27, 2024