NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firef... read CVE-2022-26486
Published: December 22, 2022; 3:15:22 PM -0500

V3.1: 9.6 CRITICAL
CVE-2017-5638 - The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands vi... read CVE-2017-5638
Published: March 10, 2017; 9:59:00 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2019-0193 - In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH ... read CVE-2019-0193
Published: August 01, 2019; 10:15:13 AM -0400

V3.1: 7.2 HIGH
V2.0: 9.0 HIGH
CVE-2021-41773 - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directo... read CVE-2021-41773
Published: October 05, 2021; 5:15:07 AM -0400

V3.1: 7.5 HIGH
V2.0: 4.3 MEDIUM
CVE-2021-42013 - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these d... read CVE-2021-42013
Published: October 07, 2021; 12:15:09 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-40438 - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Published: September 16, 2021; 11:15:07 AM -0400

V3.1: 9.0 CRITICAL
V2.0: 6.8 MEDIUM
CVE-2025-24085 - A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. A malicious application may be able to elevate privileges. Apple is a... read CVE-2025-24085
Published: January 27, 2025; 5:15:14 PM -0500

V3.1: 7.8 HIGH
CVE-2017-6627 - A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, and 15.4 and IOS XE 3.14 through 3.18 could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packets, causing an interface queu... read CVE-2017-6627
Published: September 07, 2017; 5:29:00 PM -0400

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2024-4577 - In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line gi... read CVE-2024-4577
Published: June 09, 2024; 4:15:09 PM -0400

V3.1: 9.8 CRITICAL
CVE-2019-11708 - Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional v... read CVE-2019-11708
Published: July 23, 2019; 10:15:15 AM -0400

V3.1: 10.0 CRITICAL
V2.0: 10.0 HIGH
CVE-2020-6819 - Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and F... read CVE-2020-6819
Published: April 24, 2020; 12:15:13 PM -0400

V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-6820 - Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox E... read CVE-2020-6820
Published: April 24, 2020; 12:15:13 PM -0400

V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2017-6327 - The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In ... read CVE-2017-6327
Published: August 11, 2017; 4:29:00 PM -0400

V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-9054 - Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ... read CVE-2020-9054
Published: March 04, 2020; 3:15:10 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2019-18426 - A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link prev... read CVE-2019-18426
Published: January 21, 2020; 4:15:16 PM -0500

V3.1: 8.2 HIGH
V2.0: 5.8 MEDIUM
CVE-2019-3568 - A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Andro... read CVE-2019-3568
Published: May 14, 2019; 4:29:03 PM -0400

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2024-5091 - The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Age Gate and Creative Slider widgets in all versions up to, and including, 2.0 due to insufficient input sanitization and output escapi... read CVE-2024-5091
Published: June 08, 2024; 3:15:08 AM -0400

V3.1: 5.4 MEDIUM
CVE-2024-39662 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Modernaweb Studio Black Widgets For Elementor allows Stored XSS.This issue affects Black Widgets For Elementor: from n/a through 1.3.5.
Published: August 01, 2024; 6:15:27 PM -0400

V3.1: 5.4 MEDIUM
CVE-2021-22893 - Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to... read CVE-2021-22893
Published: April 23, 2021; 1:15:08 PM -0400

V3.1: 10.0 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-22900 - A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
Published: May 27, 2021; 8:15:07 AM -0400

V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: