NVD Vulnerability Information Top
Show Search Menu
Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW

Update Date:July 1, 2026, 4:27 a.m.

No CVSS Level
Attach Vector
Vendor Name Project Name Title CWE CVE Update Date Publication Date Show Affected Exploit
PoC
Search
7551 - -
- - RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any… CWE-306
Missing Authentication for Critical Function
CVE-2026-45044 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7552 - -
- - RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origi… CWE-306
CWE-346
CWE-942
Missing Authentication for Critical Function
 Origin Validation Error
 Permissive Cross-domain Policy with Untrusted Domains
CVE-2026-46685 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7553 - -
- - RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentic… CWE-200
CWE-306
Information Exposure
Missing Authentication for Critical Function
CVE-2026-47136 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7554 - -
- - Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issu… CWE-79
Cross-site Scripting
CVE-2026-41897 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7555 - -
- - Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default setti… CWE-863
 Incorrect Authorization
CVE-2026-42070 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7556 - -
- - Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to… CWE-862
 Missing Authorization
CVE-2026-42071 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7557 - -
- - Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator acces… CWE-79
Cross-site Scripting
CVE-2026-44655 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7558 - -
- - Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execu… CWE-79
Cross-site Scripting
CVE-2026-44657 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7559 6.5 MEDIUM
Network
- - Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query fun… CWE-639
 Authorization Bypass Through User-Controlled Key
CVE-2026-9493 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7560 4.8 MEDIUM
Network
- - ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … CWE-79
Cross-site Scripting
CVE-2026-10057 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7561 4.8 MEDIUM
Network
- - ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … CWE-79
Cross-site Scripting
CVE-2026-10058 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7562 9.8 CRITICAL
Network
- - DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code exec… CWE-434
 Unrestricted Upload of File with Dangerous Type 
CVE-2026-10071 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7563 7.2 HIGH
Network
- - DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution… CWE-434
 Unrestricted Upload of File with Dangerous Type 
CVE-2026-10072 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7564 7.5 HIGH
Network
- - DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files. CWE-23
 Relative Path Traversal
CVE-2026-10073 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7565 4.9 MEDIUM
Network
- - DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files. CWE-23
 Relative Path Traversal
CVE-2026-10074 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7566 5.3 MEDIUM
Network
- - DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulner… CWE-36
 Absolute Path Traversal
CVE-2026-10075 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7567 4.6 MEDIUM
Physics
- - Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown b… CWE-440
CWE-693
CWE-754
 Expected Behavior Violation
 Protection Mechanism Failure
 Improper Check for Unusual or Exceptional Conditions
CVE-2026-49316 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7568 2.4 LOW
Physics
- - Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T… CWE-636
CWE-696
CWE-754
 Not Failing Securely ('Failing Open')
 Incorrect Behavior Order
 Improper Check for Unusual or Exceptional Conditions
CVE-2026-49317 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7569 2.4 LOW
Physics
- - Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T… CWE-636
CWE-696
CWE-754
 Not Failing Securely ('Failing Open')
 Incorrect Behavior Order
 Improper Check for Unusual or Exceptional Conditions
CVE-2026-49318 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7570 4.6 MEDIUM
Physics
- - Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Modul… CWE-693
CWE-754
CWE-1384
 Protection Mechanism Failure
 Improper Check for Unusual or Exceptional Conditions
CVE-2026-49325 2026-05-30 00:11 2026-05-29 Show GitHub Exploit DB Packet Storm
7571 - -
- - RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrat… CWE-863
 Incorrect Authorization
CVE-2026-44838 2026-05-30 00:06 2026-05-28 Show GitHub Exploit DB Packet Storm
7572 - -
- - RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. CWE-80
Basic XSS
CVE-2026-44839 2026-05-30 00:06 2026-05-28 Show GitHub Exploit DB Packet Storm
7573 - -
- - Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with end… CWE-276
Incorrect Default Permissions 
CVE-2026-33590 2026-05-30 00:06 2026-05-29 Show GitHub Exploit DB Packet Storm
7574 - -
- - A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert … CWE-79
Cross-site Scripting
CVE-2026-9806 2026-05-29 23:46 2026-05-28 Show GitHub Exploit DB Packet Storm
7575 4.6 MEDIUM
Network
- - A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifi… CWE-22
Path Traversal
CVE-2026-33462 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7576 5.3 MEDIUM
Network
- - Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-b… CWE-672
 Operation on a Resource after Expiration or Release
CVE-2026-33463 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7577 6.5 MEDIUM
Network
- - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially … CWE-400
 Uncontrolled Resource Consumption
CVE-2026-33464 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7578 4.1 MEDIUM
Network
- - Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which… CWE-79
Cross-site Scripting
CVE-2026-42401 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7579 5.0 MEDIUM
Local
- - Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic lin… CWE-59
Link Following
CVE-2026-6891 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7580 5.0 MEDIUM
Local
- - Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installat… CWE-59
Link Following
CVE-2026-6892 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7581 - -
- - An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RP… CWE-732
 Incorrect Permission Assignment for Critical Resource
CVE-2026-7480 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7582 - -
- - Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical m… CWE-732
 Incorrect Permission Assignment for Critical Resource
CVE-2026-8070 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7583 - -
- - Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. CWE-306
Missing Authentication for Critical Function
CVE-2026-49195 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7584 - -
- - The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. CWE-77
Command Injection
CVE-2026-49196 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7585 - -
- - Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. CWE-287
Improper Authentication
CVE-2026-49197 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7586 - -
- - Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. CWE-284
Improper Access Control
CVE-2026-49198 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7587 - -
- - The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s… CWE-532
 Inclusion of Sensitive Information in Log Files
CVE-2026-49200 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7588 - -
- - The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers… CWE-798
 Use of Hard-coded Credentials
CVE-2026-49201 2026-05-29 23:46 2026-05-29 Show GitHub Exploit DB Packet Storm
7589 7.5 HIGH
Network
- - Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk pat… CWE-22
Path Traversal
CVE-2026-49128 2026-05-29 23:16 2026-05-29 Show GitHub Exploit DB Packet Storm
7590 8.2 HIGH
Network
- - phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio… CWE-307
mproper Restriction of Excessive Authentication Attempts
CVE-2026-35675 2026-05-29 23:16 2026-05-29 Show GitHub Exploit DB Packet Storm
7591 6.5 MEDIUM
Network
apache ignite Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This iss… CWE-23
 Relative Path Traversal
CVE-2025-48977 2026-05-29 23:11 2026-05-28 Show GitHub Exploit DB Packet Storm
7592 9.8 CRITICAL
Network
inhandnetworks ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… CWE-77
Command Injection
CVE-2026-38702 2026-05-29 23:09 2026-05-29 Show GitHub Exploit DB Packet Storm
7593 9.8 CRITICAL
Network
inhandnetworks ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… CWE-77
Command Injection
CVE-2026-38703 2026-05-29 23:09 2026-05-29 Show GitHub Exploit DB Packet Storm
7594 9.8 CRITICAL
Network
inhandnetworks ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier ve… CWE-77
Command Injection
CVE-2026-38707 2026-05-29 23:08 2026-05-29 Show GitHub Exploit DB Packet Storm
7595 9.8 CRITICAL
Network
inhandnetworks ir315_firmware
ir302_firmware
ir615_firmware
ir305_firmware
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlie… CWE-77
Command Injection
CVE-2026-38704 2026-05-29 23:08 2026-05-29 Show GitHub Exploit DB Packet Storm
7596 8.6 HIGH
Network
- - Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt st… CWE-193
 Off-by-one Error
CVE-2026-49127 2026-05-29 23:07 2026-05-29 Show GitHub Exploit DB Packet Storm
7597 5.3 MEDIUM
Network
- - Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF by… CWE-93
CRLF Injection
CVE-2026-49130 2026-05-29 23:07 2026-05-29 Show GitHub Exploit DB Packet Storm
7598 5.8 MEDIUM
Network
- - Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allow… CWE-918
Server-Side Request Forgery (SSRF) 
CVE-2026-49129 2026-05-29 23:07 2026-05-29 Show GitHub Exploit DB Packet Storm
7599 4.1 MEDIUM
Network
- - A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endp… CWE-918
Server-Side Request Forgery (SSRF) 
CVE-2026-10052 2026-05-29 23:06 2026-05-29 Show GitHub Exploit DB Packet Storm
7600 2.7 LOW
Network
- - A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL que… CWE-598
Information Exposure Through Query Strings in GET Request 
CVE-2026-10078 2026-05-29 23:06 2026-05-29 Show GitHub Exploit DB Packet Storm