U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-20253 - In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>Th... read CVE-2026-20253
    Published: 六月 10, 2026; 2:16:40 下午 -0400

    V3.1: 9.8 CRITICAL

  • CVE-2026-47928 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interacti... read CVE-2026-47928
    Published: 六月 09, 2026; 5:17:22 下午 -0400

    V3.1: 10.0 CRITICAL

  • CVE-2026-47929 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability ... read CVE-2026-47929
    Published: 六月 09, 2026; 5:17:22 下午 -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-47930 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and ... read CVE-2026-47930
    Published: 六月 09, 2026; 5:17:22 下午 -0400

    V3.1: 8.1 HIGH

  • CVE-2026-47931 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interacti... read CVE-2026-47931
    Published: 六月 09, 2026; 5:17:23 下午 -0400

    V3.1: 9.9 CRITICAL

  • CVE-2026-47932 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnera... read CVE-2026-47932
    Published: 六月 09, 2026; 5:17:23 下午 -0400

    V3.1: 9.6 CRITICAL

  • CVE-2026-47933 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may b... read CVE-2026-47933
    Published: 六月 09, 2026; 5:17:23 下午 -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-47960 - ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access se... read CVE-2026-47960
    Published: 六月 09, 2026; 5:17:24 下午 -0400

    V3.1: 7.4 HIGH

  • CVE-2026-34657 - CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in an arbitrary file system write. An attac... read CVE-2026-34657
    Published: 六月 09, 2026; 6:16:22 下午 -0400

    V3.1: 5.5 MEDIUM

  • CVE-2026-34711 - CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condit... read CVE-2026-34711
    Published: 六月 09, 2026; 6:16:24 下午 -0400

    V3.1: 7.5 HIGH

  • CVE-2026-20254 - In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk rol... read CVE-2026-20254
    Published: 六月 10, 2026; 2:16:40 下午 -0400

    V3.1: 5.7 MEDIUM

  • CVE-2026-20255 - In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk rol... read CVE-2026-20255
    Published: 六月 10, 2026; 2:16:41 下午 -0400

    V3.1: 5.7 MEDIUM

  • CVE-2026-48998 - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacke... read CVE-2026-48998
    Published: 六月 11, 2026; 9:16:33 上午 -0400

  • CVE-2026-49214 - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a u... read CVE-2026-49214
    Published: 六月 11, 2026; 9:16:33 上午 -0400

  • CVE-2026-20256 - In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk rol... read CVE-2026-20256
    Published: 六月 10, 2026; 2:16:41 下午 -0400

    V3.1: 5.7 MEDIUM

  • CVE-2025-24165 - A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to cause unexpected system termination.
    Published: 六月 11, 2026; 3:16:26 下午 -0400

  • CVE-2025-43278 - This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
    Published: 六月 11, 2026; 3:16:33 下午 -0400

  • CVE-2025-46313 - A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
    Published: 六月 11, 2026; 3:16:34 下午 -0400

  • CVE-2026-47631 - Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
    Published: 六月 09, 2026; 1:17:35 下午 -0400

    V3.1: 5.4 MEDIUM

  • CVE-2026-47292 - Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
    Published: 六月 09, 2026; 1:17:34 下午 -0400

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated August 27, 2024