U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

National Vulnerability Database

National Vulnerability Database

NVD

Icon for CISA Known Exploited Vulnerabilities Catalog Announcement
New Parameters
Icon for CVMAP
Changes to Data Feeds and API
Icon for CVSS
Retirement of CVSS v2

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2022-36378 - Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in PluginlySpeaking Floating Div plugin <= 3.0 at WordPress.
    Published: July 29, 2022; 3:15:08 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2016-4991 - Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achie... read CVE-2016-4991
    Published: July 28, 2022; 1:15:08 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-35632 - The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in V... read CVE-2022-35632
    Published: July 29, 2022; 1:15:09 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2022-35631 - On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.
    Published: July 29, 2022; 1:15:09 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2021-42535 - VISAM VBASE version 11.6.0.6 does not neutralize or incorrectly neutralizes user-controllable input before the data is placed in output used as a public-facing webpage.
    Published: July 27, 2022; 5:15:08 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2022-36752 - png2webp v1.0.4 was discovered to contain an out-of-bounds write via the function w2p. This vulnerability is exploitable via a crafted png file.
    Published: July 28, 2022; 7:15:07 PM -0400

    V3.1: 5.5 MEDIUM

  • CVE-2022-35630 - A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.
    Published: July 29, 2022; 1:15:09 PM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2022-36914 - Jenkins Files Found Trigger Plugin 1.5 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the J... read CVE-2022-36914
    Published: July 27, 2022; 11:15:11 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2022-34578 - Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
    Published: July 28, 2022; 4:15:11 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2022-34593 - DPTech VPN v8.1.28.0 was discovered to contain an arbitrary file read vulnerability.
    Published: July 28, 2022; 4:15:11 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2022-2564 - Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
    Published: July 28, 2022; 4:15:11 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2021-38410 - AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path.
    Published: July 27, 2022; 5:15:08 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2020-6998 - The connection establishment algorithm found in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 versions 33 and prior does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker... read CVE-2020-6998
    Published: July 27, 2022; 5:15:08 PM -0400

    V3.1: 8.6 HIGH

  • CVE-2022-35911 - On Patlite NH-FB series devices through 1.46, remote attackers can cause a denial of service by omitting the query string.
    Published: July 27, 2022; 5:15:08 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2022-36948 - In Veritas NetBackup OpsCenter, a DOM XSS attack can occur. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.
    Published: July 27, 2022; 5:15:08 PM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2022-36899 - Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
    Published: July 27, 2022; 11:15:09 AM -0400

    V3.1: 8.2 HIGH

  • CVE-2022-36900 - Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
    Published: July 27, 2022; 11:15:09 AM -0400

    V3.1: 8.2 HIGH

  • CVE-2022-27615 - Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in cgi component in Synology DNS Server before 2.2.2-5027 allows remote authenticated users to delete arbitrary files via unspecified vectors.
    Published: July 28, 2022; 12:15:09 AM -0400

    V3.1: 8.1 HIGH

  • CVE-2022-31627 - In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
    Published: July 28, 2022; 2:15:07 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2022-22683 - Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary code via unspecified vectors.
    Published: July 28, 2022; 3:15:07 AM -0400

    V3.1: 9.8 CRITICAL