U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
The letters N V D typed out in binary
New 2.0 APIs
Emphasis on APIs for web automation
2022-23 Change Timeline
Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2023-20008 - A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on f... read CVE-2023-20008
    Published: January 20, 2023; 2:15:13 AM -0500

    V3.1: 7.1 HIGH

  • CVE-2021-27782 - HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.
    Published: January 20, 2023; 2:15:10 AM -0500

    V3.1: 7.5 HIGH

  • CVE-2022-45926 - An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The endpoint notify.localizeEmailTemplate allows a low-privilege user to evaluate webreports.
    Published: January 18, 2023; 4:15:10 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2022-38112 - In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.
    Published: January 20, 2023; 1:15:10 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2023-22910 - An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users... read CVE-2023-22910
    Published: January 20, 2023; 1:15:10 PM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2022-45925 - An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The action xmlexport accepts the parameter requestContext. If this parameter is present, the response includes most of the HTTP headers sent to the server and some of ... read CVE-2022-45925
    Published: January 18, 2023; 4:15:10 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2022-45924 - An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The endpoint itemtemplate.createtemplate2 allows a low-privilege user to delete arbitrary files on the server's local filesystem.
    Published: January 18, 2023; 4:15:10 PM -0500

    V3.1: 8.1 HIGH

  • CVE-2023-23024 - Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the... read CVE-2023-23024
    Published: January 20, 2023; 2:15:18 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2023-22912 - An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt.
    Published: January 20, 2023; 1:15:10 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2023-23015 - Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.
    Published: January 20, 2023; 2:15:18 PM -0500

    V3.1: 6.1 MEDIUM

  • CVE-2023-23490 - The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.
    Published: January 20, 2023; 2:15:18 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2015-1465 - The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of servic... read CVE-2015-1465
    Published: April 05, 2015; 5:59:01 PM -0400

    V2.0: 7.8 HIGH

  • CVE-2023-0126 - Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.
    Published: January 19, 2023; 3:15:10 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2023-23488 - The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
    Published: January 20, 2023; 1:15:10 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2023-23489 - The Easy Digital Downloads WordPress Plugin, version < 3.1.0.4, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.
    Published: January 20, 2023; 1:15:10 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-45922 - An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints, which requi... read CVE-2022-45922
    Published: January 18, 2023; 4:15:10 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2020-21152 - SQL Injection vulnerability in inxedu 2.0.6 allows attackers to execute arbitrary commands via the functionIds parameter to /saverolefunction.
    Published: January 20, 2023; 2:15:12 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2020-29297 - Multiple SQL Injection vulnerabilies in tourist5 Online-food-ordering-system 1.0.
    Published: January 20, 2023; 2:15:13 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2022-41733 - IBM InfoSphere Information Server 11.7 could allow a remote attacked to cause some of the components to be unusable until the process is restarted. IBM X-Force ID: 237583.
    Published: January 20, 2023; 2:15:15 PM -0500

    V3.1: 5.3 MEDIUM

  • CVE-2016-4232 - Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to obtain sensitive information from process memory via unspecified vectors.
    Published: July 12, 2016; 10:00:39 PM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM