U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
The letters N V D typed out in binary
New 2.0 APIs
Emphasis on APIs for web automation
2022-23 Change Timeline
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2023-21597 - Adobe InCopy versions 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interactio... read CVE-2023-21597
    Published: January 13, 2023; 4:15:15 PM -0500

    V3.1: 7.3 HIGH

  • CVE-2023-21587 - Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user int... read CVE-2023-21587
    Published: January 13, 2023; 3:15:13 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2022-39182 - H C Mingham-Smith Ltd - Tardis 2000 Privilege escalation.Version 1.6 is vulnerable to privilege escalation which may allow a malicious actor to gain system privileges.
    Published: January 12, 2023; 11:15:09 AM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-39183 - Moodle Plugin - SAML Auth may allow Open Redirect through unspecified vectors.
    Published: January 12, 2023; 11:15:09 AM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2023-21588 - Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user int... read CVE-2023-21588
    Published: January 13, 2023; 3:15:13 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2023-21589 - Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interacti... read CVE-2023-21589
    Published: January 13, 2023; 3:15:13 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2020-15953 - LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in... read CVE-2020-15953
    Published: July 27, 2020; 3:15:10 AM -0400

    V3.1: 7.4 HIGH
     V2.0: 5.8 MEDIUM

  • CVE-2020-16145 - Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
    Published: August 12, 2020; 9:15:10 AM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2022-48090 - Tramyardg hotel-mgmt-system version 2022.4 is vulnerable to SQL Injection via /app/dao/CustomerDAO.php.
    Published: January 13, 2023; 2:15:11 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2019-20208 - dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.
    Published: January 02, 2020; 9:16:36 AM -0500

    V3.1: 5.5 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2022-48091 - Tramyardg hotel-mgmt-system version 2022.4 is vulnerable to Cross Site Scripting (XSS) via process_update_profile.php.
    Published: January 13, 2023; 2:15:11 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2020-12781 - Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
    Published: August 09, 2020; 11:15:12 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2020-12777 - A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
    Published: August 09, 2020; 11:15:12 PM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2023-0256 - A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been classified as critical. Affected is an unknown function of the file /fos/admin/ajax.php?action=login of the component Login Page. The manipulation of the argu... read CVE-2023-0256
    Published: January 12, 2023; 5:15:09 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2020-12778 - Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
    Published: August 09, 2020; 11:15:12 PM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2019-20204 - The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.
    Published: January 02, 2020; 9:16:36 AM -0500

    V3.1: 5.4 MEDIUM
     V2.0: 3.5 LOW

  • CVE-2020-15860 - Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected... read CVE-2020-15860
    Published: July 24, 2020; 12:15:11 PM -0400

    V3.1: 9.9 CRITICAL
     V2.0: 6.5 MEDIUM

  • CVE-2020-15920 - There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
    Published: July 23, 2020; 9:15:11 PM -0400

    V3.1: 9.8 CRITICAL
     V2.0: 10.0 HIGH

  • CVE-2019-20176 - In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir function in ls.c.
    Published: December 31, 2019; 10:15:11 AM -0500

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2019-17621 - The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when... read CVE-2019-17621
    Published: December 30, 2019; 12:15:19 PM -0500

    V3.1: 9.8 CRITICAL
     V2.0: 10.0 HIGH