NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月26日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
451	4.2	MEDIUM ネットワーク	-	-	FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot… New	CWE-193 境界条件の判定	CVE-2026-40254	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

452	-	-	-	-	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the … New	CWE-1336 テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-34587	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

453	-	-	-	-	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined … New	CWE-863 不正な認証	CVE-2026-40099	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

454	-	-	-	-	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined … New	CWE-863 不正な認証	CVE-2026-41325	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

455	8.7	HIGH ローカル	-	-	OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, mi… New	CWE-125 CWE-787 境界外読み取り境界外書き込み	CVE-2026-33317	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

456	-	-	-	-	Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like expl… New	CWE-352 同一生成元ポリシー違反	CVE-2026-41317	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

457	8.2	HIGH ネットワーク	-	-	Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted i… New	CWE-400 CWE-770 リソースの枯渇制限またはスロットリング無しのリソースの割り当て	CVE-2026-41309	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

458	8.1	HIGH ネットワーク	-	-	ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution… New	CWE-693 保護メカニズムの不具合	CVE-2026-41316	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

459	5.4	MEDIUM ネットワーク	-	-	AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an uns… New	CWE-79 CWE-116 CWE-1336 クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープテンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-41318	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

460	8.1	HIGH ネットワーク	-	-	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attache… New	CWE-200 CWE-918 情報漏えいサーバサイドリクエストフォージェリ	CVE-2026-41323	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

461	7.5	HIGH ネットワーク	-	-	basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A mal… New	CWE-400 CWE-770 リソースの枯渇制限またはスロットリング無しのリソースの割り当て	CVE-2026-41324	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

462	-	-	-	-	Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Redirect parameter on login page is vulnerable to reflected XSS… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-41430	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

463	7.7	HIGH ネットワーク	-	-	Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user wit… New	CWE-617 到達可能なアサーション	CVE-2026-41485	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

464	7.6	HIGH ネットワーク	wger	wger	wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead… Update	CWE-284 CWE-862 不適切なアクセス制御認証の欠如	CVE-2026-40474	2026-04-24 23:46	2026-04-18	表示	GitHub Exploit DB Packet Storm

465	5.4	MEDIUM ネットワーク	wger	wger	wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled lic… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40353	2026-04-24 23:46	2026-04-18	表示	GitHub Exploit DB Packet Storm

466	-	-	-	-	Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an … Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41170	2026-04-24 23:45	2026-04-23	表示	GitHub Exploit DB Packet Storm

467	-	-	-	-	Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protectio… Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41171	2026-04-24 23:45	2026-04-23	表示	GitHub Exploit DB Packet Storm

468	-	-	-	-	Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server … Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41172	2026-04-24 23:45	2026-04-23	表示	GitHub Exploit DB Packet Storm

469	5.5	MEDIUM ネットワーク	-	-	Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). Th… Update	CWE-73 CWE-918 ファイル名やパス名の外部制御サーバサイドリクエストフォージェリ	CVE-2026-41177	2026-04-24 23:45	2026-04-23	表示	GitHub Exploit DB Packet Storm

470	7.8	HIGH ローカル	-	-	A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger … New	CWE-191 整数アンダーフロー	CVE-2026-33999	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

471	7.8	HIGH ローカル	-	-	A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to… New	CWE-825 期限切れのポインタデリファレンス	CVE-2026-34001	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

472	7.8	HIGH ローカル	-	-	A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerabi… New	CWE-125 境界外読み取り	CVE-2026-34003	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

473	9.8	CRITICAL ネットワーク	-	-	An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function New	CWE-94 コード・インジェクション	CVE-2026-39087	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

474	9.9	CRITICAL ネットワーク	-	-	A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the … New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40470	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

475	9.6	CRITICAL ネットワーク	-	-	hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to uplo… New	CWE-352 同一生成元ポリシー違反	CVE-2026-40471	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

476	9.9	CRITICAL ネットワーク	-	-	In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40472	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

477	-	-	-	-	DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TA… New	CWE-79 CWE-183 クロスサイト・スクリプティング（XSS）許容された入力値の許可リスト	CVE-2026-41240	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

478	9.8	CRITICAL ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi. New	CWE-78 OSコマンド・インジェクション	CVE-2026-31177	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

479	9.8	CRITICAL ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi. New	CWE-78 OSコマンド・インジェクション	CVE-2026-31178	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

480	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31179	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

481	9.8	CRITICAL ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi. New	CWE-78 OSコマンド・インジェクション	CVE-2026-31181	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

482	5.3	MEDIUM 隣接	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provide… New	CWE-789 過剰なサイズ値のメモリ割り当て	CVE-2026-40891	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

483	4.3	MEDIUM ネットワーク	-	-	OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-me… New	CWE-863 不正な認証	CVE-2026-41908	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

484	5.3	MEDIUM 隣接	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if t… New	CWE-789 過剰なサイズ値のメモリ割り当て	CVE-2026-40182	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

485	5.4	MEDIUM ネットワーク	-	-	OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers w… New	CWE-863 不正な認証	CVE-2026-41909	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

486	-	-	-	-	TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in de… New	CWE-1394 デフォルトの暗号鍵の使用	CVE-2026-5039	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

487	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31162	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

488	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31163	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

489	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31166	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

490	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31167	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

491	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31168	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

492	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31169	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

493	6.5	MEDIUM ネットワーク	-	-	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31173	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

494	8.0	HIGH ネットワーク	dnnsoftware	dotnetnuke	DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl… Update	CWE-87 代替 XSS 構文の不適切な無効化	CVE-2026-40321	2026-04-24 23:41	2026-04-18	表示	GitHub Exploit DB Packet Storm

495	9.6	CRITICAL ネットワーク	-	-	Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. New	CWE-284 不適切なアクセス制御	CVE-2026-24303	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

496	8.6	HIGH ネットワーク	-	-	Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-26150	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

497	3.7	LOW ネットワーク	-	-	A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each hea… New	CWE-444 HTTP リクエストスマグリング	CVE-2026-2708	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

498	8.0	HIGH ネットワーク	-	-	Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network. New	CWE-427 制御されていない検索パスの要素	CVE-2026-32172	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

499	9.3	CRITICAL ネットワーク	-	-	Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network. New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-32210	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm

500	9.3	CRITICAL ネットワーク	-	-	Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. New	CWE-601 オープンリダイレクト	CVE-2026-33102	2026-04-24 23:41	2026-04-24	表示	GitHub Exploit DB Packet Storm