NVD Vulnerability Information Top

Show Search Menu

Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

NVD Vulnerability Information Top

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

CRITICAL
HIGH
MEDIUM
LOW

Update Date:June 16, 2026, 4:13 a.m.

No	CVSS	Level Attach Vector	Vendor Name	Project Name	Title	CWE	CVE	Update Date	Publication Date	Show Affected	Exploit PoC Search
1251	9.6	CRITICAL Network	-	-	A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the …	CWE-639 Authorization Bypass Through User-Controlled Key	CVE-2026-53471	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1252	4.3	MEDIUM Network	google	chrome	Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High)	CWE-457 Use of Uninitialized Variable	CVE-2026-11668	2026-06-11 01:17	2026-06-9	Show	GitHub Exploit DB Packet Storm

1253	-	-	-	-	Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.…	CWE-918 Server-Side Request Forgery (SSRF)	CVE-2026-46497	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1254	8.1	HIGH Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydan…	CWE-20 CWE-22 CWE-117 Improper Input Validation Path Traversal Improper Output Neutralization for Logs	CVE-2026-45565	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1255	8.8	HIGH Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL…	CWE-78 OS Command	CVE-2026-45564	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1256	4.3	MEDIUM Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user…	CWE-639 CWE-863 Authorization Bypass Through User-Controlled Key Incorrect Authorization	CVE-2026-45563	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1257	4.9	MEDIUM Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter…	CWE-90 LDAP Injection	CVE-2026-45559	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1258	9.9	CRITICAL Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section…	CWE-20 CWE-77 CWE-78 CWE-94 Improper Input Validation Command Injection OS Command Code Injection	CVE-2026-45558	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1259	9.9	CRITICAL Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name fo…	CWE-20 CWE-22 CWE-73 CWE-78 Improper Input Validation Path Traversal External Control of File Name or Path OS Command	CVE-2026-45556	2026-06-11 01:17	2026-06-11	Show	GitHub Exploit DB Packet Storm

1260	7.5	HIGH Network	-	-	UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1.	CWE-79 Cross-site Scripting	CVE-2026-11799	2026-06-11 01:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1261	-	-	-	-	Insufficient input validation vulnerability in the listed NETGEAR devices allows authenticated administrators connected to the local network to tamper with the router's integrity.	CWE-20 Improper Input Validation	CVE-2026-0417	2026-06-11 01:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1262	-	-	-	-	Insufficient input validation vulnerability in NETGEAR JR6150 (AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014) allows administrators connected to the local network to make unauthorized…	CWE-20 Improper Input Validation	CVE-2026-0412	2026-06-11 01:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1263	-	-	-	-	Authenticated administrators connected to the local network can gain elevated access to the router and make unauthorized changes to router software and functionality.	CWE-20 Improper Input Validation	CVE-2026-0410	2026-06-11 01:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1264	5.3	MEDIUM Network	google	chrome	Out of bounds read in Media in Google Chrome on ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from pr…	CWE-472 External Control of Assumed-Immutable Web Parameter	CVE-2026-11669	2026-06-11 01:16	2026-06-9	Show	GitHub Exploit DB Packet Storm

1265	8.3	HIGH Network	google	chrome	Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafte…	CWE-787 Out-of-bounds Write	CVE-2026-11672	2026-06-11 01:15	2026-06-9	Show	GitHub Exploit DB Packet Storm

1266	5.4	MEDIUM Network	microsoft	sharepoint_server	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.	CWE-79 Cross-site Scripting	CVE-2026-47637	2026-06-11 01:14	2026-06-10	Show	GitHub Exploit DB Packet Storm

1267	5.4	MEDIUM Network	microsoft	sharepoint_server	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.	CWE-79 Cross-site Scripting	CVE-2026-47638	2026-06-11 01:07	2026-06-10	Show	GitHub Exploit DB Packet Storm

1268	5.4	MEDIUM Network	microsoft	sharepoint_server	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.	CWE-79 Cross-site Scripting	CVE-2026-47639	2026-06-11 01:06	2026-06-10	Show	GitHub Exploit DB Packet Storm

1269	5.4	MEDIUM Network	microsoft	sharepoint_server	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.	CWE-79 Cross-site Scripting	CVE-2026-47640	2026-06-11 01:01	2026-06-10	Show	GitHub Exploit DB Packet Storm

1270	5.4	MEDIUM Network	microsoft	sharepoint_server	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.	CWE-20 NVD-CWE-noinfo Improper Input Validation	CVE-2026-47641	2026-06-11 00:59	2026-06-10	Show	GitHub Exploit DB Packet Storm

1271	8.3	HIGH Network	google	chrome	Insufficient validation of untrusted input in Dawn in Google Chrome on Linux and ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially per…	CWE-20 NVD-CWE-noinfo Improper Input Validation	CVE-2026-11676	2026-06-11 00:32	2026-06-9	Show	GitHub Exploit DB Packet Storm

1272	8.8	HIGH Network	google	chrome	Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)	CWE-416 Use After Free	CVE-2026-11681	2026-06-11 00:32	2026-06-9	Show	GitHub Exploit DB Packet Storm

1273	7.8	HIGH Local	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.	CWE-122 Heap-based Buffer Overflow	CVE-2026-48574	2026-06-11 00:32	2026-06-10	Show	GitHub Exploit DB Packet Storm

1274	8.3	HIGH Network	google	chrome	Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via …	CWE-20 NVD-CWE-noinfo Improper Input Validation	CVE-2026-11682	2026-06-11 00:27	2026-06-9	Show	GitHub Exploit DB Packet Storm

1275	7.8	HIGH Local	-	-	During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to ex…	CWE-306 Missing Authentication for Critical Function	CVE-2026-9045	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1276	7.8	HIGH Local	-	-	A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privile…	CWE-427 Uncontrolled Search Path Element	CVE-2026-8637	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1277	-	-	-	-	A missing authentication check on the Aix‑DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks…	CWE-306 Missing Authentication for Critical Function	CVE-2026-8335	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1278	4.3	MEDIUM Network	-	-	A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite sys…	CWE-749 Exposed Dangerous Method or Function	CVE-2026-7516	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1279	7.0	HIGH Local	-	-	A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.	CWE-290 Authentication Bypass by Spoofing	CVE-2026-6090	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1280	7.1	HIGH Network	-	-	libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.	CWE-1284 Improper Validation of Specified Quantity in Input	CVE-2026-53689	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1281	9.6	CRITICAL Adjacent	-	-	A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed g…	CWE-59 Link Following	CVE-2026-53476	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1282	9.3	CRITICAL Adjacent	-	-	A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Mid…	CWE-295 Improper Certificate Validation	CVE-2026-53475	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1283	9.6	CRITICAL Network	-	-	A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malici…	CWE-89 SQL Injection	CVE-2026-53474	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1284	7.3	HIGH Network	-	-	A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user click…	CWE-79 Cross-site Scripting	CVE-2026-53473	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1285	9.6	CRITICAL Network	-	-	A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker…	CWE-639 Authorization Bypass Through User-Controlled Key	CVE-2026-53470	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1286	9.1	CRITICAL Network	-	-	A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. T…	CWE-306 Missing Authentication for Critical Function	CVE-2026-53469	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1287	9.9	CRITICAL Network	-	-	Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/rout…	CWE-639 CWE-862 CWE-863 Authorization Bypass Through User-Controlled Key Missing Authorization Incorrect Authorization	CVE-2026-45552	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1288	8.8	HIGH Network	-	-	Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes…	CWE-416 Use After Free	CVE-2026-45447	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1289	9.8	CRITICAL Network	-	-	DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.	CWE-78 OS Command	CVE-2026-38615	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1290	9.8	CRITICAL Network	-	-	A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.	CWE-347 Improper Verification of Cryptographic Signature	CVE-2026-36721	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1291	7.5	HIGH Network	-	-	An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via e…	CWE-200 Information Exposure	CVE-2026-36719	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1292	8.4	HIGH Local	-	-	Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.too…	CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition	CVE-2026-24067	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1293	8.4	HIGH Local	-	-	Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.too…	CWE-296 Improper Following of a Certificate's Chain of Trust	CVE-2026-24066	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1294	7.8	HIGH Local	-	-	Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime ent…	CWE-426 Untrusted Search Path	CVE-2026-24064	2026-06-11 00:16	2026-06-10	Show	GitHub Exploit DB Packet Storm

1295	6.5	MEDIUM Network	-	-	A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse…	CWE-122 Heap-based Buffer Overflow	CVE-2026-11884	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1296	8.3	HIGH Network	google	chrome	Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perfor…	CWE-20 Improper Input Validation	CVE-2026-11029	2026-06-11 00:16	2026-06-5	Show	GitHub Exploit DB Packet Storm

1297	6.7	MEDIUM Local	-	-	During an internal security assessment, a potential out-of-bounds write vulnerability was discovered in the BIOS of some ThinkPad products could allow a privileged local user to execute code in Syste…	CWE-787 Out-of-bounds Write	CVE-2025-10238	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1298	6.7	MEDIUM Local	-	-	During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could allow a privileged local user to perform arbitrary reads or w…	CWE-327 Use of a Broken or Risky Cryptographic Algorithm	CVE-2025-10237	2026-06-11 00:16	2026-06-11	Show	GitHub Exploit DB Packet Storm

1299	7.9	HIGH Local	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.	CWE-693 Protection Mechanism Failure	CVE-2026-48575	2026-06-11 00:15	2026-06-10	Show	GitHub Exploit DB Packet Storm

1300	7.9	HIGH Local	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.	CWE-1329 Reliance on Component That is Not Updateable	CVE-2026-48576	2026-06-11 00:14	2026-06-10	Show	GitHub Exploit DB Packet Storm