NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月21日4:10

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
51	8.4	HIGH ローカル	praison	praisonai praisonaiagents	PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working direct… Update	CWE-94 CWE-426 コード・インジェクション信頼性のない検索パス	CVE-2026-40287	2026-04-21 02:47	2026-04-14	表示	GitHub Exploit DB Packet Storm

52	9.8	CRITICAL ネットワーク	praison	praisonai praisonaiagents	PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untru… Update	CWE-78 CWE-94 OSコマンド・インジェクションコード・インジェクション	CVE-2026-40288	2026-04-21 02:47	2026-04-14	表示	GitHub Exploit DB Packet Storm

53	9.1	CRITICAL ネットワーク	praison	praisonai praisonaiagents	PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote se… Update	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-40289	2026-04-21 02:46	2026-04-14	表示	GitHub Exploit DB Packet Storm

54	9.1	CRITICAL ネットワーク	praison	praisonai	PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/che… Update	CWE-829 信頼性のない制御領域からの機能の組み込み	CVE-2026-40313	2026-04-21 02:39	2026-04-14	表示	GitHub Exploit DB Packet Storm

55	9.8	CRITICAL ネットワーク	praison	praisonai	PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concate… Update	CWE-89 SQLインジェクション	CVE-2026-40315	2026-04-21 02:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

56	5.5	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of… Update	CWE-20 CWE-78 不適切な入力確認 OSコマンド・インジェクション	CVE-2026-39417	2026-04-21 02:36	2026-04-14	表示	GitHub Exploit DB Packet Storm

57	7.4	HIGH ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authentic… Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-39418	2026-04-21 02:36	2026-04-14	表示	GitHub Exploit DB Packet Storm

58	7.4	HIGH ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the … Update	CWE-78 CWE-693 OSコマンド・インジェクション保護メカニズムの不具合	CVE-2026-39420	2026-04-21 02:35	2026-04-14	表示	GitHub Exploit DB Packet Storm

59	7.4	HIGH ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute ra… Update	CWE-94 CWE-693 コード・インジェクション保護メカニズムの不具合	CVE-2026-39421	2026-04-21 02:35	2026-04-14	表示	GitHub Exploit DB Packet Storm

60	5.4	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an ap… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-39422	2026-04-21 02:34	2026-04-14	表示	GitHub Exploit DB Packet Storm

61	5.4	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with… Update	CWE-79 CWE-95 クロスサイト・スクリプティング（XSS） Evalインジェクション	CVE-2026-39423	2026-04-21 02:34	2026-04-14	表示	GitHub Exploit DB Packet Storm

62	4.7	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administr… Update	CWE-1236 CSV ファイル内の数式要素の不適切な中和	CVE-2026-39424	2026-04-21 02:34	2026-04-14	表示	GitHub Exploit DB Packet Storm

63	3.1	LOW ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python fram… Update	CWE-74 CWE-290 CWE-693 インジェクションスプーフィングによる認証回避保護メカニズムの不具合	CVE-2026-39419	2026-04-21 02:32	2026-04-14	表示	GitHub Exploit DB Packet Storm

64	5.4	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and Ja… Update	CWE-80 クロスサイトスクリプティング (Basic XSS)	CVE-2026-39425	2026-04-21 02:31	2026-04-14	表示	GitHub Exploit DB Packet Storm

65	5.4	MEDIUM ネットワーク	maxkb	maxkb	MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <if… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-39426	2026-04-21 02:31	2026-04-14	表示	GitHub Exploit DB Packet Storm

66	7.3	HIGH ネットワーク	-	-	A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results i… New	CWE-346 CWE-942 同一生成元ポリシー違反過度に許容されるクロスドメインホワイトリスト	CVE-2026-6662	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

67	-	-	-	-	miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPActio… Update	CWE-125 CWE-191 境界外読み取り整数アンダーフロー	CVE-2026-5720	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

68	8.8	HIGH ネットワーク	-	-	KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther(dimReal+2)sizeof(kiss_ff… New	CWE-122 CWE-190 ヒープオーバーフロー整数オーバーフローまたはラップアラウンド	CVE-2026-41445	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

69	5.4	MEDIUM ネットワーク	-	-	The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An at… Update	CWE-352 同一生成元ポリシー違反	CVE-2026-40948	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

70	6.5	MEDIUM ネットワーク	-	-	OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to a… New	CWE-367 CWE-639 Time-of-check Time-of-use (TOCTOU) 競合状態ユーザ制御の鍵による認証回避	CVE-2026-40896	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

71	-	-	-	-	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… New	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-40488	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

72	-	-	-	-	wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled lic… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40353	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

73	7.7	HIGH ネットワーク	-	-	Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets throu… Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-40348	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

74	8.8	HIGH ネットワーク	-	-	WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the sessi… Update	CWE-89 CWE-302 CWE-473 SQLインジェクション認証回避の脆弱性 PHP 外部変数の変更	CVE-2026-40285	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

75	-	-	-	-	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… New	CWE-862 認証の欠如	CVE-2026-40098	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

76	-	-	-	-	pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as ins… New	CWE-434 危険なタイプのファイルの無制限アップロード	CVE-2026-3219	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

77	6.3	MEDIUM ローカル	-	-	Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper … New	CWE-269 不適切な権限管理	CVE-2026-35154	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

78	3.1	LOW ネットワーク	-	-	Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML … Update	CWE-20 CWE-79 CWE-116 不適切な入力確認クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープ	CVE-2026-33436	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

79	3.7	LOW ネットワーク	-	-	Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not stor… Update	CWE-668 誤った領域へのリソースの漏えい	CVE-2026-32690	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

80	7.5	HIGH ネットワーク	-	-	In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker.… Update	CWE-668 誤った領域へのリソースの漏えい	CVE-2026-30912	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

81	-	-	-	-	Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is a… New	-	CVE-2026-30269	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

82	-	-	-	-	libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which i… Update	CWE-125 境界外読み取り	CVE-2026-29013	2026-04-21 02:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

83	6.7	MEDIUM ローカル	-	-	Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a stack-based buffer overflo… New	CWE-121 スタックオーバーフロー	CVE-2026-26951	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

84	7.2	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vuln… New	CWE-78 OSコマンド・インジェクション	CVE-2026-26943	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

85	6.7	MEDIUM ローカル	-	-	Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacke… New	CWE-78 OSコマンド・インジェクション	CVE-2026-26942	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

86	4.9	MEDIUM ネットワーク	-	-	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… New	CWE-22 CWE-184 パス・トラバーサル不完全なブラックリスト	CVE-2026-25525	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

87	8.1	HIGH ネットワーク	-	-	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… New	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-25524	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

88	7.5	HIGH ネットワーク	-	-	Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/… New	CWE-306 CWE-862 重要な機能に対する認証の欠如解説認証の欠如	CVE-2026-25058	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

89	7.2	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vuln… New	CWE-78 OSコマンド・インジェクション	CVE-2026-24506	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

90	7.2	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability,… New	CWE-20 不適切な入力確認	CVE-2026-24505	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

91	7.2	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation… New	CWE-20 不適切な入力確認	CVE-2026-24504	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

92	6.7	MEDIUM ローカル	-	-	Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain a command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading … New	CWE-78 OSコマンド・インジェクション	CVE-2026-22761	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

93	6.5	MEDIUM ネットワーク	-	-	A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is t… New	CWE-639 ユーザ制御の鍵による認証回避	CVE-2025-66954	2026-04-21 02:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

94	3.7	LOW ネットワーク	apostrophecms	apostrophecms	ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/r… Update	CWE-208 タイミングの違いに起因する情報漏えい	CVE-2026-33877	2026-04-21 02:05	2026-04-16	表示	GitHub Exploit DB Packet Storm

95	5.3	MEDIUM ネットワーク	apostrophecms	apostrophecms	ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type … Update	CWE-200 CWE-863 情報漏えい不正な認証	CVE-2026-33888	2026-04-21 02:04	2026-04-16	表示	GitHub Exploit DB Packet Storm

96	5.4	MEDIUM ネットワーク	apostrophecms	apostrophecms	ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color … Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-33889	2026-04-21 02:03	2026-04-16	表示	GitHub Exploit DB Packet Storm

97	5.3	MEDIUM ネットワーク	apostrophecms	apostrophecms	ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, … Update	CWE-200 情報漏えい	CVE-2026-39857	2026-04-21 02:03	2026-04-16	表示	GitHub Exploit DB Packet Storm

98	4.3	MEDIUM ネットワーク	apache	pdfbox	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.… Update	CWE-22 パス・トラバーサル	CVE-2026-33929	2026-04-21 01:58	2026-04-14	表示	GitHub Exploit DB Packet Storm

99	6.1	MEDIUM ネットワーク	leafletjs	leaflet	Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing … Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2025-69993	2026-04-21 01:55	2026-04-15	表示	GitHub Exploit DB Packet Storm

100	7.5	HIGH ネットワーク	apache	airflow	JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade t… Update	CWE-532 ログファイルからの情報漏えい	CVE-2026-31987	2026-04-21 01:54	2026-04-16	表示	GitHub Exploit DB Packet Storm