NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月25日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
201	9.6	CRITICAL ネットワーク	nimiq	nimiq_proof-of-stake	nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each… New	CWE-20 CWE-190 CWE-345 CWE-1284 不適切な入力確認整数オーバーフローまたはラップアラウンドデータの信頼性についての不十分な検証入力で指定された数量の不適切な検証	CVE-2026-33471	2026-04-25 02:11	2026-04-23	表示	GitHub Exploit DB Packet Storm

202	6.8	MEDIUM ネットワーク	nimiq	nimiq_proof-of-stake	nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_votin… New	CWE-347 デジタル署名の不適切な検証	CVE-2026-34068	2026-04-25 02:10	2026-04-23	表示	GitHub Exploit DB Packet Storm

203	9.0	CRITICAL ネットワーク	thymeleaf	thymeleaf	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. A… Update	CWE-917 CWE-1336 言語構文の表現に使用される特殊な要素の不適切な無効化テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-40477	2026-04-25 01:58	2026-04-18	表示	GitHub Exploit DB Packet Storm

204	9.0	CRITICAL ネットワーク	thymeleaf	thymeleaf	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanism… Update	CWE-917 CWE-1336 言語構文の表現に使用される特殊な要素の不適切な無効化テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-40478	2026-04-25 01:58	2026-04-18	表示	GitHub Exploit DB Packet Storm

205	7.5	HIGH ネットワーク	monetr	monetr	monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe sig… Update	CWE-400 リソースの枯渇	CVE-2026-40481	2026-04-25 01:57	2026-04-18	表示	GitHub Exploit DB Packet Storm

206	5.3	MEDIUM ネットワーク	fastapiexpert	python-multipart	Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or… Update	CWE-400 CWE-834 リソースの枯渇過度なイテレーション	CVE-2026-40347	2026-04-25 01:51	2026-04-18	表示	GitHub Exploit DB Packet Storm

207	7.5	HIGH ネットワーク	powerdns	dnsdist	A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released unt… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-33594	2026-04-25 01:48	2026-04-22	表示	GitHub Exploit DB Packet Storm

208	8.8	HIGH ローカル	nsa	emissary	Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /b… Update	CWE-78 CWE-116 OSコマンド・インジェクション不適切なエンコード、または出力のエスケープ	CVE-2026-35582	2026-04-25 01:48	2026-04-18	表示	GitHub Exploit DB Packet Storm

209	8.3	HIGH ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST… Update	CWE-352 同一生成元ポリシー違反	CVE-2026-40925	2026-04-25 01:46	2026-04-22	表示	GitHub Exploit DB Packet Storm

210	5.7	MEDIUM ネットワーク	oracle	peoplesoft_enterprise_cs_student_records	Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Research Tracking). The supported version that is affected is 9.2. Easily exploitable vulnerab… Update	CWE-284 不適切なアクセス制御	CVE-2026-35241	2026-04-25 01:44	2026-04-22	表示	GitHub Exploit DB Packet Storm

211	7.8	HIGH ローカル	oracle	application_development_framework	Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. E… Update	CWE-284 不適切なアクセス制御	CVE-2026-35243	2026-04-25 01:43	2026-04-22	表示	GitHub Exploit DB Packet Storm

212	9.1	CRITICAL ネットワーク	oracle	enterprise_manager_base_platform	Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily explo… Update	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-34279	2026-04-25 01:43	2026-04-22	表示	GitHub Exploit DB Packet Storm

213	6.0	MEDIUM ローカル	oracle	graalvm jdk jre	Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; … Update	CWE-400 リソースの枯渇	CVE-2026-22003	2026-04-25 01:42	2026-04-22	表示	GitHub Exploit DB Packet Storm

214	9.6	CRITICAL ネットワーク	google	chrome	Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.… New	CWE-416 解放済みメモリの使用	CVE-2026-6919	2026-04-25 01:39	2026-04-24	表示	GitHub Exploit DB Packet Storm

215	9.6	CRITICAL ネットワーク	google	chrome	Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted … New	CWE-125 境界外読み取り	CVE-2026-6920	2026-04-25 01:39	2026-04-24	表示	GitHub Exploit DB Packet Storm

216	8.3	HIGH ネットワーク	google	chrome	Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium) New	CWE-362 競合状態	CVE-2026-6921	2026-04-25 01:39	2026-04-24	表示	GitHub Exploit DB Packet Storm

217	8.8	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javas… New	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-41269	2026-04-25 01:39	2026-04-24	表示	GitHub Exploit DB Packet Storm

218	8.3	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Func… New	CWE-284 CWE-918 不適切なアクセス制御サーバサイドリクエストフォージェリ	CVE-2026-41270	2026-04-25 01:38	2026-04-24	表示	GitHub Exploit DB Packet Storm

219	8.3	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain co… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41271	2026-04-25 01:37	2026-04-24	表示	GitHub Exploit DB Packet Storm

220	7.1	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Sid… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41272	2026-04-25 01:37	2026-04-24	表示	GitHub Exploit DB Packet Storm

221	8.2	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacke… New	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-41273	2026-04-25 01:35	2026-04-24	表示	GitHub Exploit DB Packet Storm

222	7.5	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the u… New	CWE-319 重要な情報の平文での送信	CVE-2026-41275	2026-04-25 01:34	2026-04-24	表示	GitHub Exploit DB Packet Storm

223	9.8	CRITICAL ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations … New	CWE-287 不適切な認証	CVE-2026-41276	2026-04-25 01:32	2026-04-24	表示	GitHub Exploit DB Packet Storm

224	7.5	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitiz… New	CWE-200 情報漏えい	CVE-2026-41278	2026-04-25 01:31	2026-04-24	表示	GitHub Exploit DB Packet Storm

225	7.5	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-41279	2026-04-25 01:31	2026-04-24	表示	GitHub Exploit DB Packet Storm

226	9.8	CRITICAL ネットワーク	-	-	radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metachara… New	-	CVE-2026-6942	2026-04-25 01:16	2026-04-24	表示	GitHub Exploit DB Packet Storm

227	-	-	-	-	Rejected reason: This CVE is a duplicate of another CVE. New	-	CVE-2026-40609	2026-04-25 01:16	2026-04-25	表示	GitHub Exploit DB Packet Storm

228	8.8	HIGH ネットワーク	mozilla	firefox thunderbird	Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. Update	CWE-269 不適切な権限管理	CVE-2026-6750	2026-04-25 00:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

229	7.1	HIGH ローカル	-	-	A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target pa… New	CWE-732 重要なリソースに対する不適切なパーミッションの割り当て	CVE-2026-35341	2026-04-25 00:16	2026-04-23	表示	GitHub Exploit DB Packet Storm

230	4.3	MEDIUM ネットワーク	-	-	In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing… New	CWE-284 不適切なアクセス制御	CVE-2026-29197	2026-04-25 00:16	2026-04-24	表示	GitHub Exploit DB Packet Storm

231	8.8	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an a… New	CWE-94 コード・インジェクション	CVE-2026-41137	2026-04-25 00:15	2026-04-24	表示	GitHub Exploit DB Packet Storm

232	8.8	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input ver… New	CWE-94 コード・インジェクション	CVE-2026-41138	2026-04-25 00:15	2026-04-24	表示	GitHub Exploit DB Packet Storm

233	9.8	CRITICAL ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from… New	CWE-184 不完全なブラックリスト	CVE-2026-41264	2026-04-25 00:15	2026-04-24	表示	GitHub Exploit DB Packet Storm

234	9.8	CRITICAL ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results… New	CWE-77 コマンドインジェクション	CVE-2026-41265	2026-04-25 00:15	2026-04-24	表示	GitHub Exploit DB Packet Storm

235	7.5	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorizat… New	CWE-200 CWE-522 CWE-862 情報漏えい認証情報の不十分な保護認証の欠如	CVE-2026-41266	2026-04-25 00:15	2026-04-24	表示	GitHub Exploit DB Packet Storm

236	9.8	CRITICAL ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoin… New	CWE-639 CWE-915 ユーザ制御の鍵による認証回避動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-41267	2026-04-25 00:14	2026-04-24	表示	GitHub Exploit DB Packet Storm

237	9.8	CRITICAL ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerabili… New	CWE-20 不適切な入力確認	CVE-2026-41268	2026-04-25 00:14	2026-04-24	表示	GitHub Exploit DB Packet Storm

238	8.8	HIGH ネットワーク	flowiseai	flowise	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated us… New	CWE-284 CWE-639 CWE-915 不適切なアクセス制御ユーザ制御の鍵による認証回避動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-41277	2026-04-25 00:14	2026-04-24	表示	GitHub Exploit DB Packet Storm

239	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31159	2026-04-25 00:13	2026-04-24	表示	GitHub Exploit DB Packet Storm

240	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31160	2026-04-25 00:13	2026-04-24	表示	GitHub Exploit DB Packet Storm

241	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31164	2026-04-25 00:13	2026-04-24	表示	GitHub Exploit DB Packet Storm

242	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31165	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

243	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31171	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

244	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31172	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

245	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31174	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

246	9.8	CRITICAL ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31175	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

247	6.5	MEDIUM ネットワーク	totolink	a3300r_firmware	An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi. New	CWE-77 コマンドインジェクション	CVE-2026-31176	2026-04-25 00:12	2026-04-24	表示	GitHub Exploit DB Packet Storm

248	9.8	CRITICAL ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` para… Update	CWE-77 コマンドインジェクション	CVE-2026-41304	2026-04-25 00:11	2026-04-22	表示	GitHub Exploit DB Packet Storm

249	9.3	CRITICAL ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `cu… Update	CWE-78 OSコマンド・インジェクション	CVE-2026-41064	2026-04-25 00:10	2026-04-22	表示	GitHub Exploit DB Packet Storm

250	5.4	MEDIUM ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override … Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-41063	2026-04-25 00:08	2026-04-22	表示	GitHub Exploit DB Packet Storm