U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-3188 - The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the co... read CVE-2024-3188
    Published: April 26, 2024; 1:15:50 AM -0400

  • CVE-2023-5971 - The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html c... read CVE-2023-5971
    Published: May 14, 2024; 10:31:08 AM -0400

  • CVE-2024-3239 - The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.0.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the co... read CVE-2024-3239
    Published: May 14, 2024; 11:40:31 AM -0400

  • CVE-2024-3582 - The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
    Published: May 14, 2024; 11:41:54 AM -0400

  • CVE-2024-3590 - The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers
    Published: May 14, 2024; 11:41:54 AM -0400

  • CVE-2024-3903 - The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF ... read CVE-2024-3903
    Published: May 14, 2024; 11:42:33 AM -0400

  • CVE-2025-22222 - VMware Aria Operations contains an information disclosure vulnerability. A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known.
    Published: January 30, 2025; 11:15:31 AM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-3241 - The Ultimate Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform S... read CVE-2024-3241
    Published: May 14, 2024; 12:17:31 PM -0400

  • CVE-2025-22221 - VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser w... read CVE-2025-22221
    Published: January 30, 2025; 11:15:31 AM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2025-22220 - VMware Aria Operations for Logs contains a privilege escalation vulnerability. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an a... read CVE-2025-22220
    Published: January 30, 2025; 11:15:31 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2025-22219 - VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. A malicious actor with non-administrative privileges may be able to inject a malicious script that (can perform stored cross-site scripting) may lead to arbitra... read CVE-2025-22219
    Published: January 30, 2025; 11:15:31 AM -0500

    V3.1: 9.0 CRITICAL

  • CVE-2025-22218 - VMware Aria Operations for Logs contains an information disclosure vulnerability. A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs
    Published: January 30, 2025; 10:15:18 AM -0500

    V3.1: 7.7 HIGH

  • CVE-2024-38830 - VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges may trigger this vulnerability to escalate privileges to root user on the appliance running VMware Aria Operations.
    Published: November 26, 2024; 7:15:18 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2024-38831 - VMware Aria Operations contains a local privilege escalation vulnerability.  A malicious actor with local administrative privileges can insert malicious commands into the properties file to escalate privileges to  a root user on the appliance runn... read CVE-2024-38831
    Published: November 26, 2024; 7:15:18 AM -0500

    V3.1: 7.8 HIGH

  • CVE-2024-10555 - The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_ht... read CVE-2024-10555
    Published: December 20, 2024; 1:15:22 AM -0500

  • CVE-2025-2673 - A vulnerability classified as problematic has been found in code-projects Payroll Management System 1.0. Affected is an unknown function of the file /home_employee.php. The manipulation of the argument division leads to cross site scripting. It is... read CVE-2025-2673
    Published: March 23, 2025; 8:15:12 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-38832 - VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to views may be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.
    Published: November 26, 2024; 7:15:18 AM -0500

    V3.1: 6.4 MEDIUM

  • CVE-2024-38833 - VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to email templates might inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.
    Published: November 26, 2024; 7:15:18 AM -0500

    V3.1: 5.4 MEDIUM

  • CVE-2024-38834 - VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to cloud provider might be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operati... read CVE-2024-38834
    Published: November 26, 2024; 7:15:18 AM -0500

    V3.1: 4.8 MEDIUM

  • CVE-2025-2672 - A vulnerability was found in code-projects Payroll Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /add_deductions.php. The manipulation of the argument bir leads to sql injection. The a... read CVE-2025-2672
    Published: March 23, 2025; 7:15:13 PM -0400

    V3.1: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024