NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月21日4:10

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
1	-	-	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorizatio… Update	CWE-639 CWE-862 ユーザ制御の鍵による認証回避認証の欠如	CVE-2026-40480	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

2	-	-	-	-	ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQ… Update	CWE-89 SQLインジェクション	CVE-2026-40482	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

3	5.4	MEDIUM ネットワーク	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via html… Update	CWE-79 CWE-116 クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープ	CVE-2026-40483	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

4	5.3	MEDIUM ネットワーク	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a… Update	CWE-204 CWE-307 リクエストに対するレスポンス内容の違いに起因する情報漏えい過度な認証試行の不適切な制限	CVE-2026-40485	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

5	9.1	CRITICAL ネットワーク	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ direct… Update	CWE-269 CWE-434 CWE-552 不適切な権限管理危険なタイプのファイルの無制限アップロード外部からアクセス可能なファイルまたはディレクトリ	CVE-2026-40484	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

6	8.1	HIGH ネットワーク	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records an… Update	CWE-352 CWE-862 同一生成元ポリシー違反認証の欠如	CVE-2026-40581	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

7	-	-	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, byp… Update	CWE-288 CWE-305 代替パスまたはチャネルを使用した認証回避根本の脆弱性による認証回避	CVE-2026-40582	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

8	4.8	MEDIUM ネットワーク	-	-	ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applyin… Update	CWE-79 CWE-116 クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープ	CVE-2026-40593	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

9	-	-	-	-	editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allo… Update	CWE-121 CWE-787 スタックオーバーフロー境界外書き込み	CVE-2026-40489	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

10	6.8	MEDIUM ネットワーク	-	-	The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versio… Update	CWE-200 情報漏えい	CVE-2026-40490	2026-04-21 03:59	2026-04-18	表示	GitHub Exploit DB Packet Storm

11	5.3	MEDIUM ネットワーク	-	-	OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api… New	CWE-204 リクエストに対するレスポンス内容の違いに起因する情報漏えい	CVE-2026-24468	2026-04-21 03:59	2026-04-21	表示	GitHub Exploit DB Packet Storm

12	9.8	CRITICAL ネットワーク	-	-	SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE de… Update	CWE-787 境界外書き込み	CVE-2026-40494	2026-04-21 03:55	2026-04-18	表示	GitHub Exploit DB Packet Storm

13	9.8	CRITICAL ネットワーク	-	-	SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves… Update	CWE-787 境界外書き込み	CVE-2026-40492	2026-04-21 03:55	2026-04-18	表示	GitHub Exploit DB Packet Storm

14	9.8	CRITICAL ネットワーク	-	-	SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes… Update	CWE-787 境界外書き込み	CVE-2026-40493	2026-04-21 03:55	2026-04-18	表示	GitHub Exploit DB Packet Storm

15	8.8	HIGH ネットワーク	-	-	Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attacker… New	CWE-915 動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-34427	2026-04-21 03:54	2026-04-21	表示	GitHub Exploit DB Packet Storm

16	7.7	HIGH ネットワーク	-	-	Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl witho… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-34428	2026-04-21 03:54	2026-04-21	表示	GitHub Exploit DB Packet Storm

17	5.4	MEDIUM ネットワーク	-	-	Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME … New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-34429	2026-04-21 03:54	2026-04-21	表示	GitHub Exploit DB Packet Storm

18	9.8	CRITICAL ネットワーク	-	-	Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping… New	CWE-94 コード・インジェクション	CVE-2026-39918	2026-04-21 03:54	2026-04-21	表示	GitHub Exploit DB Packet Storm

19	-	-	-	-	SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticat… New	-	CVE-2026-39109	2026-04-21 03:51	2026-04-21	表示	GitHub Exploit DB Packet Storm

20	-	-	-	-	SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows… New	-	CVE-2026-39110	2026-04-21 03:51	2026-04-21	表示	GitHub Exploit DB Packet Storm

21	7.5	HIGH ネットワーク	-	-	SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an … New	CWE-89 SQLインジェクション	CVE-2026-39111	2026-04-21 03:51	2026-04-21	表示	GitHub Exploit DB Packet Storm

22	5.4	MEDIUM ネットワーク	-	-	Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can injec… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-39112	2026-04-21 03:51	2026-04-21	表示	GitHub Exploit DB Packet Storm

23	7.0	HIGH ローカル	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. Update	CWE-122 CWE-362 CWE-367 ヒープオーバーフロー競合状態 Time-of-check Time-of-use (TOCTOU) 競合状態	CVE-2026-32093	2026-04-21 03:27	2026-04-15	表示	GitHub Exploit DB Packet Storm

24	7.3	HIGH ローカル	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2016 windows_server_2019 w…	Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. Update	CWE-20 CWE-122 CWE-191 不適切な入力確認ヒープオーバーフロー整数アンダーフロー	CVE-2026-32149	2026-04-21 03:26	2026-04-15	表示	GitHub Exploit DB Packet Storm

25	7.0	HIGH ローカル	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. Update	CWE-362 競合状態	CVE-2026-32150	2026-04-21 03:24	2026-04-15	表示	GitHub Exploit DB Packet Storm

26	6.5	MEDIUM ネットワーク	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network. Update	CWE-200 情報漏えい	CVE-2026-32151	2026-04-21 03:23	2026-04-15	表示	GitHub Exploit DB Packet Storm

27	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1	Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally. Update	CWE-362 CWE-416 競合状態解放済みメモリの使用	CVE-2026-32153	2026-04-21 03:22	2026-04-15	表示	GitHub Exploit DB Packet Storm

28	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. Update	CWE-362 CWE-416 競合状態解放済みメモリの使用	CVE-2026-32158	2026-04-21 03:21	2026-04-15	表示	GitHub Exploit DB Packet Storm

29	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. Update	CWE-362 CWE-416 競合状態解放済みメモリの使用	CVE-2026-32159	2026-04-21 03:19	2026-04-15	表示	GitHub Exploit DB Packet Storm

30	6.7	MEDIUM ローカル	dell	powerprotect_dp_series_appliance data_domain_operating_system	Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1… Update	CWE-77 コマンドインジェクション	CVE-2026-23779	2026-04-21 03:18	2026-04-17	表示	GitHub Exploit DB Packet Storm

31	8.8	HIGH ネットワーク	dell	powerprotect_dp_series_appliance data_domain_operating_system	Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1… Update	CWE-295 不正な証明書検証	CVE-2026-23776	2026-04-21 03:17	2026-04-17	表示	GitHub Exploit DB Packet Storm

32	7.2	HIGH ネットワーク	dell	powerprotect_dp_series_appliance data_domain_operating_system	Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1… Update	CWE-77 コマンドインジェクション	CVE-2026-23778	2026-04-21 03:17	2026-04-17	表示	GitHub Exploit DB Packet Storm

33	5.8	MEDIUM ネットワーク	-	-	OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result … New	CWE-73 ファイル名やパス名の外部制御	CVE-2026-41389	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

34	7.8	HIGH ローカル	-	-	Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.7 and before allows a local attacker to execute arbitrary code via a crafted file New	CWE-277 安全でない継承されたパーミッション	CVE-2026-30266	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

35	6.6	MEDIUM ローカル	-	-	python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewri… New	CWE-59 CWE-61 リンク解釈の問題 UNIX Symbolic Link のフォロー	CVE-2026-28684	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

36	-	-	-	-	A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to… New	-	CVE-2026-26399	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

37	-	-	-	-	GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the … New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23758	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

38	5.4	MEDIUM ネットワーク	-	-	GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23757	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

39	5.4	MEDIUM ネットワーク	-	-	GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23756	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

40	4.8	MEDIUM ネットワーク	-	-	GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23753	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

41	4.8	MEDIUM ネットワーク	-	-	GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J… New	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23752	2026-04-21 03:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

42	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. Update	CWE-362 競合状態	CVE-2026-32160	2026-04-21 03:15	2026-04-15	表示	GitHub Exploit DB Packet Storm

43	5.7	MEDIUM ネットワーク	dell	data_domain_operating_system	Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion o… Update	CWE-532 ログファイルからの情報漏えい	CVE-2026-23775	2026-04-21 03:11	2026-04-17	表示	GitHub Exploit DB Packet Storm

44	7.8	HIGH ローカル	dell	data_domain_operating_system	Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50… Update	CWE-522 認証情報の不十分な保護	CVE-2025-36568	2026-04-21 03:10	2026-04-17	表示	GitHub Exploit DB Packet Storm

45	7.2	HIGH ネットワーク	fortinet	fortiweb	An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attack… Update	CWE-787 境界外書き込み	CVE-2026-40688	2026-04-21 03:07	2026-04-15	表示	GitHub Exploit DB Packet Storm

46	8.8	HIGH ネットワーク	fortinet	fortiddos-f	A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or com… Update	CWE-89 SQLインジェクション	CVE-2026-39815	2026-04-21 03:06	2026-04-15	表示	GitHub Exploit DB Packet Storm

47	4.8	MEDIUM ネットワーク	fortinet	fortinac-f	An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may a… Update	CWE-601 オープンリダイレクト	CVE-2026-21741	2026-04-21 03:06	2026-04-15	表示	GitHub Exploit DB Packet Storm

48	7.2	HIGH ネットワーク	fortinet	fortianalyzer fortianalyzer_cloud fortimanager fortimanager_cloud	An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7… Update	CWE-89 SQLインジェクション	CVE-2025-61848	2026-04-21 03:05	2026-04-15	表示	GitHub Exploit DB Packet Storm

49	8.8	HIGH 隣接	fortinet	fortios	A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS … Update	CWE-306 重要な機能に対する認証の欠如解説	CVE-2025-53847	2026-04-21 03:04	2026-04-15	表示	GitHub Exploit DB Packet Storm

50	4.3	MEDIUM ネットワーク	fortinet	fortivoice fortindr	An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.… Update	CWE-200 情報漏えい	CVE-2024-23104	2026-04-21 03:03	2026-04-15	表示	GitHub Exploit DB Packet Storm