Tag: nvd
-
Änderungen an der NVD – NIST reagiert auf Schwachstellen-Flut
First seen on security-insider.de Jump to article: www.security-insider.de/nist-priorisiert-cves-nvd-risikobasiertes-modell-a-b62bfc43745006c9f34e3a70de0332f2/
-
Critical Cursor bug could turn routine Git into RCE
Tags: ai, attack, cvss, flaw, malicious, nvd, penetration-testing, phishing, rce, remote-code-executionExpanded attack surface with agentic IDEs: Novee warned that while traditional IDEs are passive, doing what developers explicitly tell them to do, Cursor’s AI agent interprets intent and autonomously decides which commands to run, which includes Git operations. And that’s where the problem lies.”In traditional pentesting, ‘client-side’ attacks targeting developer machines have always been a…
-
As the NVD scales back CVE enrichment, here’s what Tenable customers need to know
Tags: access, ai, cisa, cloud, cve, cvss, data, data-breach, exploit, infrastructure, intelligence, kev, metric, mitre, nist, nvd, ransomware, risk, software, strategy, technology, threat, vulnerability, vulnerability-management, zero-dayNIST’s shift toward selective CVE enrichment creates significant visibility gaps for teams relying solely on the National Vulnerability Database. As AI accelerates vulnerability disclosure rates, organizations need independent, high-fidelity intelligence to prioritize risks that the NVD may now overlook. Key takeaways NIST is pivoting to a prioritized enrichment model, focusing only on specific criteria like…
-
NIST Scales Back Vulnerability Scoring in 2026 as CVE Volume Surges
NIST is scaling back NVD enrichment as CVE volumes surge, shifting more risk prioritization to organizations. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/nist-scales-back-vulnerability-scoring-in-2026-as-cve-volume-surges/
-
NIST Adopts Risk-Based NVD Model as CVE Submissions Jump 263% Since 2020
According to a recent announcement from the National Institute of Standards and Technology (NIST), the agency is fundamentally restructuring how it manages the National Vulnerability Database (NVD). Driven by a massive 263% increase in Common Vulnerabilities and Exposures (CVE) submissions between 2020 and 2025, NIST is shifting from a comprehensive analysis approach to a targeted,…
-
National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges
Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/national-vulnerability-database-nvd-shifts-to-selective-enrichment-as-cve-volume-surges/
-
NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions.”CVEs that do not meet those criteria will still be listed…
-
NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward
NIST is overhauling how it manages the National Vulnerability Database (NVD) and switching to a risk-based model that prioritizes >>enrichment<< of only the most … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/16/nist-national-vulnerability-database-nvd-enrichment/
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution
Key Takeaways CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, according to the CNA Delta Electronics COMMGR2 contains an out-of-bounds write vulnerability (CWE-787) enabling unauthenticated remote code execution NVD lists the vulnerability as analyzed; vendor advisory Delta-PCSA-2026-00005 is available addressing multiple COMMGR2 vulnerabilities No evidence of active exploitation in the wild; specific affected……
-
CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution
Key Takeaways CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, according to the CNA Delta Electronics COMMGR2 contains an out-of-bounds write vulnerability (CWE-787) enabling unauthenticated remote code execution NVD lists the vulnerability as analyzed; vendor advisory Delta-PCSA-2026-00005 is available addressing multiple COMMGR2 vulnerabilities No evidence of active exploitation in the wild; specific affected……
-
CVE-2026-3342: Critical OutBounds Write Vulnerability in WatchGuard Fireware OS
Key Takeaways CVSS v3.1 base score of 7.2 (High) according to NVD analysis Affects WatchGuard Fireware OS versions 11.9-11.12.4_Update1, 12.0-12.11.7, and 2025.1-2026.1.1 Authenticated privileged administrators can execute arbitrary code with root permissions via management interface NVD published March 3, 2026; vendor patch status pending official advisory publication CVE-2026-3342: What Happened? CVE-2026-3342 is an out-of-bounds write……
-
EU’s answer to CVE solves dependency issue, adds fragmentation risks
Tags: access, ai, china, cisco, cve, cyber, cybersecurity, data, dos, exploit, finance, governance, grc, infrastructure, intelligence, international, nvd, open-source, risk, service, software, threat, tool, vulnerability, vulnerability-managementCoordinated disclosure: Nik Kale, principal engineer and product architect at Cisco Systems, says GCVE’s main challenge comes from building a platform that the security community can rely on for coordinated disclosure and remediation.”Viability depends far more on governance than on the data itself,” Kale says. “That includes clear attribution rules, transparent CNA processes, predictable decision-making,…
-
Open WebUI bug turns the ‘free model’ into an enterprise backdoor
Tags: access, api, authentication, backdoor, data, exploit, flaw, malicious, mitigation, network, nvd, remote-code-execution, risk, tool, updateEscalating to Remote Code Execution: The risk doesn’t stop at account takeover. If the compromised account has workspace.tools permissions, attackers can leverage that session token to push authenticated Python code through Open WebUI’s Tools API, which executes without sandboxing or validation.This turns a browser-level compromise into full remote code execution on the backend server. Once…
-
The nexus of risk and intelligence: How vulnerability-informed hunting uncovers what everything else misses
Tags: access, attack, authentication, business, cisa, compliance, cve, cvss, dark-web, data, defense, detection, dns, edr, endpoint, exploit, framework, intelligence, kev, linux, malicious, mitigation, mitre, monitoring, ntlm, nvd, open-source, password, powershell, remote-code-execution, risk, risk-management, siem, soc, strategy, tactics, technology, threat, update, vulnerability, vulnerability-managementTurning vulnerability data into intelligence: Once vulnerabilities are contextualized, they can be turned into actionable intelligence. Every significant CVE tells a story, known exploit activity, actor interest, proof-of-concept code or links to MITRE ATT&CK techniques. This external intelligence gives us the who and how behind potential exploitation.For example, when a privilege escalation vulnerability in Linux…
-
Stop waiting on NVD, get real-time vulnerability alerts now
Vulnerabilities are discovered daily”, but not every alert matters. SecAlerts pulls from 100+ sources for faster, real-time vuln alerts, filtering the noise so teams can patch quicker and stay secure. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/stop-waiting-on-nvd-get-real-time-vulnerability-alerts-now/
-
Ransomware up 179%, credential theft up 800%: 2025’s cyber onslaught intensifies
Exploits multiply as defenders play catch-up: Vulnerability disclosure rose by 246%, and publicly available exploits increased by 179%, with over 20000 vulnerabilities disclosed in the first half of 202535% of which already have exploit code.A backlog of 42000 vulnerabilities awaiting NVD analysis and delays in CVE enrichment leave organizations blind to many critical flaws, the…
-
Auf der Suche nach Alternativen zum CVE-Programm
Tags: advisory, ceo, cisa, cve, cvss, cyber, cyersecurity, exploit, github, google, group, infrastructure, intelligence, kev, microsoft, nist, nvd, open-source, oracle, ransomware, resilience, risk, siem, soar, software, supply-chain, threat, tool, update, vulnerability, vulnerability-management, zero-daySollte das CVE-Programm eingestellt werden, wäre die Bewertung und Behebung von Sicherheitslücken schwieriger.Der jüngste kurze Panikausbruch wegen der möglichen Einstellung des Common Vulnerabilities and Exposures (CVE)-Programms hat die starke Abhängigkeit der Sicherheitsbranche von diesem Programm deutlich gemacht. Er führte zu Diskussionen über Notfallstrategien , falls das standardisierte System zur Identifizierung und Katalogisierung von Schwachstellen nicht…
-
Critical RCE flaw in Anthropic’s MCP inspector exposes developer machines to remote attacks
Chained with a legacy flaw for RCE : Oligo demonstrated that the attack vector combines two independent flaws. Attackers could chain the legacy “0.0.0.0-day” browser flaw, which lets web pages send requests to 0.0.0.0 address that browsers treat like localhost, to a CSRF-style attack leveraging the Inspector proxy’s vulnerable “/sse” endpoint that accepts commands via query…
-
Beyond CVE: The hunt for other sources of vulnerability intel
Tags: advisory, application-security, china, cisa, cve, cyber, cybersecurity, data, exploit, flaw, github, government, guide, infrastructure, intelligence, kev, microsoft, nvd, oracle, ransomware, risk, siem, soar, software, threat, tool, update, vulnerability, zero-dayCurrent alternatives include diverse vendor sources: Independent providers of aggregated vulnerability information such as Flashpoint, VulnCheck, Tenable, BitSight and others are another option. Many of these vendors offer curated datasets that capture vulnerabilities often missed or delayed by CVE, Lefkowitz points out. They also offer critical context such as exploitability, ransomware risk, and social risk.”To…
-
Dems want watchdog study of two troubled federally-funded vulnerability tracking initiatives
The CVE program publishes standardized information about known cyber vulnerabilities, while the NVD is a storehouse for vulnerability management data. First seen on cyberscoop.com Jump to article: cyberscoop.com/gao-vulnerability-management-letter-cve-nvd-bennie-thompson-zoe-lofgren/
-
US Government Launches Audit of NIST’s National Vulnerability Database
The audit of the NVD will be conducted by the US Department of Commerce’s Office of Inspector General First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/us-government-launches-audit-nist/
-
Hackers target Apple users in an ‘extremely sophisticated attack’
Flaws patched across the board: According to the NVD description, Apple issued a fix for all impacted operating systems. Patched Apple OS rollouts include tvOS 18.4.1, visionOS 2.4.1, iOS 18.4.1, iPadOS 18.4.1, and macOS Sequoia 15.4.1.Specific iPhones and iPads that shall be receiving the patch include iPhone XS and later, iPad Pro 13-inch, iPad Pro…
-
Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal
Tags: advisory, attack, cisa, computer, cve, cybersecurity, data, exploit, government, incident response, infrastructure, mitre, nvd, open-source, risk, tactics, update, vulnerability, vulnerability-managementConcerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation. Background The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As…
-
CVE program averts swift end after CISA executes 11-month contract extension
Tags: china, cisa, computer, cve, cyber, cybersecurity, data, defense, detection, endpoint, flaw, framework, government, infrastructure, intelligence, linkedin, mitre, nist, nvd, russia, service, software, technology, threat, update, vulnerability, vulnerability-managementImportant update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.A CISA spokesperson sent CSO a statement saying, “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure…
-
CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo
Tags: china, cisa, cve, cyber, cybersecurity, data, detection, endpoint, flaw, government, infrastructure, intelligence, linkedin, mitre, nist, nvd, russia, service, technology, threat, vulnerability, vulnerability-managementMITRE’s CVE program foundational to cybersecurity: MITRE’s CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.Although…
-
NIST Defers Pre-2018 CVEs to Tackle Growing Vulnerability Backlog
NIST marks CVEs pre-2018 as “Deferred” in the NVD as agency focus shifts to managing emerging threats First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/nist-defers-pre-2018-cves/