National Vulnerability Database

National Vulnerability Database

NVD

Collaborative Vulnerability Metadata Acceptance Process
NVD Release of CVMAP
CVSS Version 3.1 Official Support!
CVSS Version 3.1 Official Support!
New NVD CVE/CPE API and Legacy SOAP Service Retirement!
New NVD CVE/CPE API and Legacy SOAP Service Retirement!


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2021-32999 - Improper handling of exceptional conditions in SuiteLink server while processing command 0x01
    Published: September 23, 2021; 10:15:07 AM -0400

    V3.1: 7.5 HIGH
     V2.0: 5.0 MEDIUM

  • CVE-2021-24741 - The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL in... read CVE-2021-24741
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 9.8 CRITICAL
     V2.0: 7.5 HIGH

  • CVE-2021-24663 - The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 7.2 HIGH
     V2.0: 6.5 MEDIUM

  • CVE-2021-24657 - The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unaut... read CVE-2021-24657
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2021-24636 - The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a ... read CVE-2021-24636
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 8.1 HIGH
     V2.0: 5.8 MEDIUM

  • CVE-2021-24640 - The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 5.4 MEDIUM
     V2.0: 3.5 LOW

  • CVE-2021-32959 - Heap-based buffer overflow in SuiteLink server while processing commands 0x05/0x06
    Published: September 23, 2021; 10:15:07 AM -0400

    V3.1: 9.8 CRITICAL
     V2.0: 7.5 HIGH

  • CVE-2021-41088 - Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend do... read CVE-2021-41088
    Published: September 23, 2021; 4:15:07 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 9.3 HIGH

  • CVE-2021-24637 - The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with conten... read CVE-2021-24637
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 5.4 MEDIUM
     V2.0: 3.5 LOW

  • CVE-2021-24639 - The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 8.1 HIGH
     V2.0: 5.5 MEDIUM

  • CVE-2021-41073 - loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
    Published: September 19, 2021; 1:15:07 PM -0400

    V3.1: 7.8 HIGH
     V2.0: 7.2 HIGH

  • CVE-2021-41083 - Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor wa... read CVE-2021-41083
    Published: September 20, 2021; 6:15:07 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.8 MEDIUM

  • CVE-2021-24609 - The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is... read CVE-2021-24609
    Published: September 20, 2021; 6:15:08 AM -0400

    V3.1: 4.8 MEDIUM
     V2.0: 3.5 LOW

  • CVE-2021-39218 - Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Was... read CVE-2021-39218
    Published: September 17, 2021; 5:15:07 PM -0400

    V3.1: 6.3 MEDIUM
     V2.0: 3.3 LOW

  • CVE-2016-6556 - OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigg... read CVE-2016-6556
    Published: September 24, 2021; 5:15:07 PM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2016-6555 - OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI vi... read CVE-2016-6555
    Published: September 24, 2021; 5:15:07 PM -0400

    V3.1: 6.1 MEDIUM
     V2.0: 4.3 MEDIUM

  • CVE-2020-19551 - Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.
    Published: September 21, 2021; 3:15:07 PM -0400

    V3.1: 8.8 HIGH
     V2.0: 6.5 MEDIUM

  • CVE-2021-24618 - The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place wh... read CVE-2021-24618
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 5.4 MEDIUM
     V2.0: 3.5 LOW

  • CVE-2021-24635 - The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get... read CVE-2021-24635
    Published: September 20, 2021; 6:15:09 AM -0400

    V3.1: 5.4 MEDIUM
     V2.0: 5.5 MEDIUM

  • CVE-2021-24596 - The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is... read CVE-2021-24596
    Published: September 20, 2021; 6:15:08 AM -0400

    V3.1: 4.8 MEDIUM
     V2.0: 3.5 LOW