NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月26日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
401	3.2	LOW ローカル	-	-	uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by t… New	CWE-670 常に不適切な制御フローの実装	CVE-2026-41988	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

402	6.7	MEDIUM ローカル	-	-	Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. New	CWE-787 境界外書き込み	CVE-2026-41989	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

403	4.0	MEDIUM ローカル	-	-	Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data. New	CWE-787 境界外書き込み	CVE-2026-41990	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

404	5.1	MEDIUM ローカル	-	-	EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in thi… New	CWE-427 制御されていない検索パスの要素	CVE-2025-10549	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

405	7.3	HIGH ローカル	-	-	IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrative privileges. New	CWE-427 制御されていない検索パスの要素	CVE-2026-34488	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

406	7.5	HIGH ネットワーク	-	-	GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string. New	CWE-1333 非効率的な正規表現の複雑さ	CVE-2026-41040	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

407	7.5	HIGH ネットワーク	-	-	CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X2551… New	CWE-335 CWE-338 PRNGにおけるシードの不正な使用暗号における脆弱な PRNG の使用	CVE-2026-41564	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

408	-	-	-	-	A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to pot… New	CWE-209 エラーメッセージによる情報漏えい	CVE-2026-3259	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

409	5.9	MEDIUM ネットワーク	-	-	A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient sec… New	CWE-94 コード・インジェクション	CVE-2026-3960	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

410	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell back… New	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-6885	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

411	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user. New	CWE-1390 脆弱な認証	CVE-2026-6886	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

412	9.8	CRITICAL ネットワーク	-	-	Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, mod… New	CWE-89 SQLインジェクション	CVE-2026-6887	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

413	5.7	MEDIUM 物理	-	-	Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present… New	CWE-457 初期化されていない変数の使用	CVE-2025-13763	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

414	4.7	MEDIUM ネットワーク	-	-	An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-reques… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2025-66286	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

415	7.5	HIGH ネットワーク	-	-	The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read… New	CWE-22 CWE-346 パス・トラバーサル同一生成元ポリシー違反	CVE-2026-6903	2026-04-24 23:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

416	7.3	HIGH 隣接	-	-	Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implem… New	CWE-1390 脆弱な認証	CVE-2025-70994	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

417	-	-	-	-	An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections. New	CWE-754 例外的な状態における不適切なチェック	CVE-2026-35225	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

418	9.8	CRITICAL ネットワーク	-	-	SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized befo… New	CWE-89 SQLインジェクション	CVE-2026-41460	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

419	8.5	HIGH ネットワーク	-	-	SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is no… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-41461	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

420	-	-	-	-	Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. New	-	CVE-2025-50229	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

421	9.8	CRITICAL ネットワーク	-	-	Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an opti… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2025-62373	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

422	9.8	CRITICAL ネットワーク	-	-	Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that i… New	CWE-306 CWE-441 重要な機能に対する認証の欠如解説フィルタリング回避	CVE-2026-23751	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

423	-	-	-	-	This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code executi… New	CWE-59 リンク解釈の問題	CVE-2026-33694	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

424	5.3	MEDIUM ネットワーク	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, … New	CWE-789 過剰なサイズ値のメモリ割り当て	CVE-2026-40894	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

425	5.9	MEDIUM ネットワーク	-	-	OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on … New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-41078	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

426	5.9	MEDIUM ネットワーク	-	-	The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies fr… New	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-41173	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

427	-	-	-	-	Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is… New	CWE-22 パス・トラバーサル	CVE-2026-41205	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

428	8.7	HIGH ネットワーク	-	-	pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-41241	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

429	8.1	HIGH ネットワーク	-	-	Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker… New	CWE-94 コード・インジェクション	CVE-2026-41246	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

430	-	-	-	-	elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background … New	CWE-78 OSコマンド・インジェクション	CVE-2026-41247	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

431	-	-	-	-	Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfo… New	CWE-841 行動ワークフローの不適切な実施	CVE-2026-41259	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

432	-	-	-	-	A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful … New	CWE-35 パストラバーサル	CVE-2026-6074	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

433	-	-	-	-	LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels wit… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-25874	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

434	6.8	MEDIUM ネットワーク	-	-	SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTT… New	CWE-125 CWE-191 境界外読み取り整数アンダーフロー	CVE-2026-28525	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

435	-	-	-	-	A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an att… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-6375	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

436	-	-	-	-	A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This re… New	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-6376	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

437	7.1	HIGH ローカル	-	-	radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the … New	CWE-22 パス・トラバーサル	CVE-2026-6940	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

438	6.6	MEDIUM ローカル	-	-	radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malic… New	CWE-59 リンク解釈の問題	CVE-2026-6941	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

439	9.8	CRITICAL ネットワーク	-	-	KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authe… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-26210	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

440	-	-	-	-	Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execut… New	CWE-943 データクエリロジックの特殊要素の不適切な中立化	CVE-2026-41274	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

441	6.1	MEDIUM ローカル	-	-	melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for exampl… New	CWE-22 パス・トラバーサル	CVE-2026-29050	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

442	4.4	MEDIUM ローカル	-	-	melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `me… New	CWE-22 パス・トラバーサル	CVE-2026-29051	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

443	7.6	HIGH ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API rou… New	CWE-89 CWE-184 SQLインジェクション不完全なブラックリスト	CVE-2026-31952	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

444	5.3	MEDIUM ネットワーク	-	-	go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a… New	CWE-190 整数オーバーフローまたはラップアラウンド	CVE-2026-32952	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

445	-	-	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote … New	CWE-22 パス・トラバーサル	CVE-2026-33076	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

446	-	-	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/… New	CWE-89 SQLインジェクション	CVE-2026-33078	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

447	6.4	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 … New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-31953	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

448	4.9	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-31955	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

449	4.3	MEDIUM ネットワーク	-	-	Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL t… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-31956	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm

450	-	-	-	-	Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a seco… New	CWE-91 ブラインド XPath インジェクション	CVE-2026-32870	2026-04-24 23:50	2026-04-24	表示	GitHub Exploit DB Packet Storm