NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月22日4:00

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
451	6.1	MEDIUM ネットワーク	lollms	lollms	A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack o…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-1116	2026-04-18 01:18	2026-04-12	表示	GitHub Exploit DB Packet Storm

452	6.3	MEDIUM ネットワーク	-	-	A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the compon…	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-6497	2026-04-18 01:17	2026-04-18	表示	GitHub Exploit DB Packet Storm

453	9.8	CRITICAL ネットワーク	-	-	A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.	CWE-89 SQLインジェクション	CVE-2026-37749	2026-04-18 01:17	2026-04-18	表示	GitHub Exploit DB Packet Storm

454	6.5	MEDIUM ネットワーク	phoca	maps	Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23900	2026-04-18 01:15	2026-04-11	表示	GitHub Exploit DB Packet Storm

455	7.5	HIGH ネットワーク	fastify	fastify	Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still …	CWE-1287 指定されたタイプの入力に対する不適切な検証	CVE-2026-33806	2026-04-18 00:49	2026-04-15	表示	GitHub Exploit DB Packet Storm

456	9.6	CRITICAL ネットワーク	google	chrome	Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)	CWE-122 ヒープオーバーフロー	CVE-2026-6296	2026-04-18 00:42	2026-04-16	表示	GitHub Exploit DB Packet Storm

457	8.3	HIGH ネットワーク	google	chrome	Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium securi…	CWE-416 解放済みメモリの使用	CVE-2026-6297	2026-04-18 00:42	2026-04-16	表示	GitHub Exploit DB Packet Storm

458	4.3	MEDIUM ネットワーク	google	chrome	Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secu…	CWE-122 ヒープオーバーフロー	CVE-2026-6298	2026-04-18 00:41	2026-04-16	表示	GitHub Exploit DB Packet Storm

459	8.8	HIGH ネットワーク	google	chrome	Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)	CWE-416 解放済みメモリの使用	CVE-2026-6299	2026-04-18 00:41	2026-04-16	表示	GitHub Exploit DB Packet Storm

460	8.8	HIGH ネットワーク	google	chrome	Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)	CWE-416 解放済みメモリの使用	CVE-2026-6300	2026-04-18 00:41	2026-04-16	表示	GitHub Exploit DB Packet Storm

461	8.8	HIGH ネットワーク	google	chrome	Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)	CWE-843 型の取り違え	CVE-2026-6301	2026-04-18 00:41	2026-04-16	表示	GitHub Exploit DB Packet Storm

462	8.8	HIGH ネットワーク	google	chrome	Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)	CWE-122 ヒープオーバーフロー	CVE-2026-6306	2026-04-18 00:40	2026-04-16	表示	GitHub Exploit DB Packet Storm

463	7.5	HIGH ネットワーク	-	-	A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.	CWE-122 ヒープオーバーフロー	CVE-2026-30999	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

464	5.4	MEDIUM ネットワーク	-	-	Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, …	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2025-63743	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

465	7.5	HIGH ネットワーク	-	-	A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.	CWE-476 NULL ポインタデリファレンス	CVE-2025-66769	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

466	8.4	HIGH ローカル	-	-	Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated a…	CWE-416 解放済みメモリの使用	CVE-2025-69627	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

467	-	-	-	-	Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-30804	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

468	-	-	-	-	Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800	CWE-78 OSコマンド・インジェクション	CVE-2026-30806	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

469	-	-	-	-	Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800	CWE-78 OSコマンド・インジェクション	CVE-2026-30809	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

470	-	-	-	-	Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800	CWE-276 不適切なデフォルトパーミッション	CVE-2026-30811	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

471	-	-	-	-	Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-30812	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

472	7.5	HIGH ネットワーク	-	-	Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the f…	CWE-476 NULL ポインタデリファレンス	CVE-2025-69624	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

473	-	-	-	-	Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800	CWE-89 SQLインジェクション	CVE-2026-30813	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

474	-	-	-	-	Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800	CWE-89 SQLインジェクション	CVE-2026-34186	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

475	-	-	-	-	Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800	CWE-78 OSコマンド・インジェクション	CVE-2026-34188	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

476	-	-	-	-	Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker t…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-23891	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

477	4.0	MEDIUM ネットワーク	-	-	An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame wit…	CWE-130 レングスパラメーターの不整合による不適切な処理	CVE-2026-33555	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

478	8.8	HIGH ネットワーク	-	-	The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute sh…	CWE-94 コード・インジェクション	CVE-2026-29955	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

479	8.1	HIGH ネットワーク	-	-	simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks mean…	CWE-78 OSコマンド・インジェクション	CVE-2026-28291	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

480	8.2	HIGH ネットワーク	-	-	jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strin…	CWE-122 CWE-190 ヒープオーバーフロー整数オーバーフローまたはラップアラウンド	CVE-2026-32316	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

481	9.8	CRITICAL ネットワーク	-	-	An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.	CWE-94 コード・インジェクション	CVE-2026-31048	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

482	7.5	HIGH ネットワーク	-	-	nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by …	CWE-125 CWE-193 境界外読み取り境界条件の判定	CVE-2026-32605	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

483	4.3	MEDIUM ネットワーク	-	-	EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the inter…	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-33534	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

484	4.6	MEDIUM ネットワーク	-	-	EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-admin…	CWE-80 CWE-116 クロスサイトスクリプティング (Basic XSS) 不適切なエンコード、または出力のエスケープ	CVE-2026-33657	2026-04-18 00:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

485	8.8	HIGH ネットワーク	-	-	A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a fu…	CWE-269 CWE-639 不適切な権限管理ユーザ制御の鍵による認証回避	CVE-2026-38529	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

486	8.1	HIGH ネットワーク	-	-	A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently…	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-38530	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

487	8.1	HIGH ネットワーク	-	-	A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanentl…	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-38532	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

488	6.5	MEDIUM ネットワーク	-	-	An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and acco…	CWE-285 不適切な認可	CVE-2026-38533	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

489	4.9	MEDIUM ネットワーク	-	-	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature …	CWE-284 CWE-693 不適切なアクセス制御保護メカニズムの不具合	CVE-2026-22692	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

490	9.8	CRITICAL ネットワーク	-	-	An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.	CWE-843 型の取り違え	CVE-2025-70023	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

491	-	-	-	-	A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.	CWE-532 ログファイルからの情報漏えい	CVE-2026-0207	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

492	-	-	-	-	Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.	CWE-783 演算子の優先順位についての論理エラー	CVE-2026-0209	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

493	-	-	-	-	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-24906	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

494	-	-	-	-	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. Whe…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-24907	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

495	-	-	-	-	Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. W…	CWE-89 SQLインジェクション	CVE-2026-33714	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

496	4.3	MEDIUM ネットワーク	-	-	Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets th…	CWE-285 不適切な認可	CVE-2026-33146	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

497	7.7	HIGH ネットワーク	-	-	In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _…	CWE-843 型の取り違え	CVE-2026-40683	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

498	8.8	HIGH ネットワーク	-	-	openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows a…	CWE-20 CWE-78 不適切な入力確認 OSコマンド・インジェクション	CVE-2026-24893	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

499	4.9	MEDIUM ネットワーク	-	-	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's…	CWE-94 CWE-200 コード・インジェクション情報漏えい	CVE-2026-25125	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

500	-	-	-	-	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex p…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-25133	2026-04-18 00:38	2026-04-15	表示	GitHub Exploit DB Packet Storm