NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月25日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
1	4.3	MEDIUM 隣接	openbsd	openbsd	In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_o… Update	CWE-1284 CWE-835 入力で指定された数量の不適切な検証無限ループ	CVE-2026-41285	2026-04-25 03:59	2026-04-21	表示	GitHub Exploit DB Packet Storm

2	5.5	MEDIUM ローカル	uutils	coreutils	The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and ut… New	CWE-248 キャッチされない例外	CVE-2026-35348	2026-04-25 03:57	2026-04-23	表示	GitHub Exploit DB Packet Storm

3	7.5	HIGH ネットワーク	powerdns	authoritative	A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it. Update	CWE-400 リソースの枯渇	CVE-2026-33610	2026-04-25 03:53	2026-04-22	表示	GitHub Exploit DB Packet Storm

4	6.5	MEDIUM ネットワーク	powerdns	authoritative	Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees. Update	CWE-90 LDAP インジェクション	CVE-2026-33609	2026-04-25 03:52	2026-04-22	表示	GitHub Exploit DB Packet Storm

5	9.8	CRITICAL ネットワーク	powerdns	authoritative	An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend… Update	CWE-94 コード・インジェクション	CVE-2026-33608	2026-04-25 03:52	2026-04-22	表示	GitHub Exploit DB Packet Storm

6	8.2	HIGH ネットワーク	powerdns	dnsdist	A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service. Update	CWE-122 ヒープオーバーフロー	CVE-2026-33602	2026-04-25 03:52	2026-04-22	表示	GitHub Exploit DB Packet Storm

7	8.1	HIGH 隣接	powerdns	dnsdist	A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. D… Update	CWE-125 境界外読み取り	CVE-2026-33599	2026-04-25 03:52	2026-04-22	表示	GitHub Exploit DB Packet Storm

8	9.1	CRITICAL ネットワーク	powerdns	dnsdist	A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. Update	CWE-125 境界外読み取り	CVE-2026-33598	2026-04-25 03:51	2026-04-22	表示	GitHub Exploit DB Packet Storm

9	7.5	HIGH ネットワーク	powerdns	dnsdist	PRSD detection denial of service Update	CWE-116 不適切なエンコード、または出力のエスケープ	CVE-2026-33597	2026-04-25 03:51	2026-04-22	表示	GitHub Exploit DB Packet Storm

10	6.5	MEDIUM 隣接	powerdns	dnsdist	A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DN… Update	CWE-190 整数オーバーフローまたはラップアラウンド	CVE-2026-33596	2026-04-25 03:50	2026-04-22	表示	GitHub Exploit DB Packet Storm

11	7.5	HIGH ネットワーク	powerdns	dnsdist	A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the conne… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-33595	2026-04-25 03:49	2026-04-22	表示	GitHub Exploit DB Packet Storm

12	7.5	HIGH ネットワーク	powerdns	dnsdist	A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. Update	CWE-369 ゼロ除算	CVE-2026-33593	2026-04-25 03:49	2026-04-22	表示	GitHub Exploit DB Packet Storm

13	6.5	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype… New	CWE-915 CWE-1321 動的に決定されたオブジェクト属性の不適切に制御された変更オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	CVE-2026-42044	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

14	7.2	HIGH ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 r… New	CWE-183 CWE-441 CWE-918 許容された入力値の許可リストフィルタリング回避サーバサイドリクエストフォージェリ	CVE-2026-42043	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

15	5.4	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict … New	CWE-183 CWE-201 許容された入力値の許可リスト送信データへの重要な情報の挿入	CVE-2026-42042	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

16	4.8	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype… New	CWE-287 CWE-1321 不適切な認証オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	CVE-2026-42041	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

17	3.7	LOW ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li… New	CWE-116 CWE-626 不適切なエンコード、または出力のエスケープ	CVE-2026-42040	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

18	-	-	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque… New	CWE-674 不適切な再帰制御	CVE-2026-42039	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

19	6.8	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-42038	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

20	5.3	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into th… New	CWE-93 CRLF インジェクション	CVE-2026-42037	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

21	5.3	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength… New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-42036	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

22	7.4	HIGH ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attac… New	CWE-113 CWE-1321 HTTP レスポンスの分割オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	CVE-2026-42035	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

23	5.3	MEDIUM ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tra… New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-42034	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

24	7.4	HIGH ネットワーク	-	-	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnP… New	CWE-1321 オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	CVE-2026-42033	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

25	-	-	-	-	rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callbac… New	CWE-126 CWE-130 バッファオーバーリードレングスパラメーターの不整合による不適切な処理	CVE-2026-41898	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

26	-	-	-	-	rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller th… New	CWE-121 スタックオーバーフロー	CVE-2026-41681	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

27	-	-	-	-	Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab… New	CWE-400 CWE-674 CWE-835 リソースの枯渇不適切な再帰制御無限ループ	CVE-2026-41680	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

28	-	-	-	-	rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but t… New	CWE-787 境界外書き込み	CVE-2026-41678	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

29	-	-	-	-	rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A pa… New	CWE-125 CWE-1284 境界外読み取り入力で指定された数量の不適切な検証	CVE-2026-41677	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

30	-	-	-	-	rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out len… New	CWE-131 CWE-787 正しくないバッファサイズ計算境界外書き込み	CVE-2026-41676	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

31	5.3	MEDIUM ネットワーク	-	-	@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 er… New	CWE-525 重要情報を含む Web ブラウザキャッシュの使用	CVE-2026-41322	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

32	2.2	LOW ネットワーク	-	-	@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transfo… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41321	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

33	-	-	-	-	Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python version… New	CWE-22 パス・トラバーサル	CVE-2026-41140	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

34	6.5	MEDIUM ネットワーク	-	-	A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API … New	CWE-284 CWE-285 不適切なアクセス制御不適切な認可	CVE-2025-67259	2026-04-25 03:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

35	8.8	HIGH ネットワーク	-	-	Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be a… New	CWE-915 動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-40897	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

36	7.5	HIGH ネットワーク	-	-	lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML in… New	CWE-611 XML 外部エンティティ参照の不適切な制限	CVE-2026-41066	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

37	6.1	MEDIUM ネットワーク	-	-	Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <sc… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-41067	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

38	4.3	MEDIUM 隣接	-	-	OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP bac… New	CWE-125 CWE-200 境界外読み取り情報漏えい	CVE-2026-41079	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

39	6.6	MEDIUM ローカル	-	-	Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file … New	CWE-78 OSコマンド・インジェクション	CVE-2026-41411	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

40	9.8	CRITICAL ネットワーク	-	-	Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, m… New	CWE-347 デジタル署名の不適切な検証	CVE-2026-6911	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

41	8.8	HIGH ネットワーク	-	-	Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to … New	CWE-915 動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-6912	2026-04-25 02:56	2026-04-25	表示	GitHub Exploit DB Packet Storm

42	4.9	MEDIUM ネットワーク	-	-	Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-31050	2026-04-25 02:55	2026-04-25	表示	GitHub Exploit DB Packet Storm

43	3.8	LOW ネットワーク	-	-	An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component New	CWE-400 リソースの枯渇	CVE-2026-31051	2026-04-25 02:55	2026-04-25	表示	GitHub Exploit DB Packet Storm

44	5.3	MEDIUM ネットワーク	-	-	An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component New	CWE-400 リソースの枯渇	CVE-2026-31052	2026-04-25 02:55	2026-04-25	表示	GitHub Exploit DB Packet Storm

45	4.0	MEDIUM ローカル	-	-	bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL. New	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-42095	2026-04-25 02:55	2026-04-25	表示	GitHub Exploit DB Packet Storm

46	9.8	CRITICAL ネットワーク	-	-	BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated … New	CWE-1188 CWE-1391 リソースの安全ではないデフォルト値への初期化脆弱な認証情報の使用	CVE-2026-39920	2026-04-25 02:55	2026-04-25	表示	GitHub Exploit DB Packet Storm

47	6.1	MEDIUM ネットワーク	-	-	Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2025-61872	2026-04-25 02:54	2026-04-25	表示	GitHub Exploit DB Packet Storm

48	4.7	MEDIUM ネットワーク	-	-	In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution f… New	CWE-284 不適切なアクセス制御	CVE-2025-59308	2026-04-25 02:54	2026-04-25	表示	GitHub Exploit DB Packet Storm

49	-	-	-	-	A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorizati… New	-	CVE-2026-30368	2026-04-25 02:53	2026-04-25	表示	GitHub Exploit DB Packet Storm

50	-	-	-	-	In the Linux kernel, the following vulnerability has been resolved: smb: client: let send_done handle a completion without IB_SEND_SIGNALED With smbdirect_send_batch processing we likely have reque… New	-	CVE-2026-31534	2026-04-25 02:51	2026-04-25	表示	GitHub Exploit DB Packet Storm