NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月21日4:10

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
101	8.5	HIGH ネットワーク	b3log	siyuan	SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id pa… Update	CWE-24 パストラバーサル (../filedir)	CVE-2026-40318	2026-04-21 01:50	2026-04-17	表示	GitHub Exploit DB Packet Storm

102	8.1	HIGH ネットワーク	b3log	siyuan	SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts pub… Update	CWE-285 不適切な認可	CVE-2026-40259	2026-04-21 01:49	2026-04-17	表示	GitHub Exploit DB Packet Storm

103	8.4	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally. Update	CWE-349 信頼できるデータ受け入れ時の信頼できない無関係なデータの受け入れ	CVE-2026-32162	2026-04-21 01:48	2026-04-15	表示	GitHub Exploit DB Packet Storm

104	7.5	HIGH ネットワーク	apache	skywalking	The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recom… Update	CWE-202 データクエリからの重要な情報の漏えい	CVE-2026-30778	2026-04-21 01:46	2026-04-15	表示	GitHub Exploit DB Packet Storm

105	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerT… Update	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-40901	2026-04-21 01:46	2026-04-17	表示	GitHub Exploit DB Packet Storm

106	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplie… Update	CWE-89 SQLインジェクション	CVE-2026-40900	2026-04-21 01:46	2026-04-17	表示	GitHub Exploit DB Packet Storm

107	7.1	HIGH ネットワーク	apache	skywalking_mcp	Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes… Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-34476	2026-04-21 01:45	2026-04-13	表示	GitHub Exploit DB Packet Storm

108	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. Update	CWE-362 CWE-416 競合状態解放済みメモリの使用	CVE-2026-32163	2026-04-21 01:44	2026-04-15	表示	GitHub Exploit DB Packet Storm

109	7.8	HIGH ローカル	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2016 windows_server_2019 w…	Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. Update	CWE-362 競合状態	CVE-2026-32164	2026-04-21 01:43	2026-04-15	表示	GitHub Exploit DB Packet Storm

110	6.5	MEDIUM ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mys… Update	CWE-183 許容された入力値の許可リスト	CVE-2026-40899	2026-04-21 01:42	2026-04-17	表示	GitHub Exploit DB Packet Storm

111	7.8	HIGH ローカル	microsoft	windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2019 windows_server_2022 windows_server_2022_…	Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally. Update	CWE-362 CWE-416 競合状態解放済みメモリの使用	CVE-2026-32165	2026-04-21 01:42	2026-04-15	表示	GitHub Exploit DB Packet Storm

112	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql … Update	CWE-89 SQLインジェクション	CVE-2026-33207	2026-04-21 01:41	2026-04-17	表示	GitHub Exploit DB Packet Storm

113	5.5	MEDIUM ローカル	microsoft	windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2022 windows_server_2022_23h2 windows_server_2025	Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. Update	CWE-269 不適切な権限管理	CVE-2026-32181	2026-04-21 01:40	2026-04-15	表示	GitHub Exploit DB Packet Storm

114	9.8	CRITICAL ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definitio… Update	CWE-89 SQLインジェクション	CVE-2026-33122	2026-04-21 01:40	2026-04-17	表示	GitHub Exploit DB Packet Storm

115	7.8	HIGH ローカル	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally. Update	CWE-77 コマンドインジェクション	CVE-2026-32183	2026-04-21 01:40	2026-04-15	表示	GitHub Exploit DB Packet Storm

116	7.8	HIGH ローカル	microsoft	defender_antimalware_platform	Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally. Update	CWE-1220 アクセス制御の不十分な粒度	CVE-2026-33825	2026-04-21 01:37	2026-04-15	表示	GitHub Exploit DB Packet Storm

117	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from… Update	CWE-89 SQLインジェクション	CVE-2026-33121	2026-04-21 01:37	2026-04-17	表示	GitHub Exploit DB Packet Storm

118	7.0	HIGH ローカル	microsoft	windows_11_26h1	Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. Update	CWE-121 スタックオーバーフロー	CVE-2026-32195	2026-04-21 01:37	2026-04-15	表示	GitHub Exploit DB Packet Storm

119	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj en… Update	CWE-89 SQLインジェクション	CVE-2026-33084	2026-04-21 01:36	2026-04-17	表示	GitHub Exploit DB Packet Storm

120	8.8	HIGH ネットワーク	dataease	dataease	DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoint… Update	CWE-89 SQLインジェクション	CVE-2026-33083	2026-04-21 01:35	2026-04-17	表示	GitHub Exploit DB Packet Storm

121	9.8	CRITICAL ネットワーク	dataease	dataease	DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST… Update	CWE-89 SQLインジェクション	CVE-2026-33082	2026-04-21 01:34	2026-04-17	表示	GitHub Exploit DB Packet Storm

122	4.7	MEDIUM ネットワーク	-	-	A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. Th… New	CWE-94 CWE-95 コード・インジェクション Evalインジェクション	CVE-2026-6652	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

123	2.4	LOW ネットワーク	-	-	A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item N… New	CWE-79 CWE-94 クロスサイト・スクリプティング（XSS）コード・インジェクション	CVE-2026-6651	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

124	4.7	MEDIUM ネットワーク	-	-	A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation lead… New	CWE-284 CWE-434 不適切なアクセス制御危険なタイプのファイルの無制限アップロード	CVE-2026-6650	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

125	9.1	CRITICAL ネットワーク	-	-	An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiter… Update	CWE-521 脆弱なパスワードポリシー	CVE-2026-6284	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

126	7.1	HIGH ネットワーク	-	-	ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur wi… New	CWE-319 重要な情報の平文での送信	CVE-2026-6066	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

127	9.8	CRITICAL ネットワーク	-	-	SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered usin… New	CWE-94 コード・インジェクション	CVE-2026-5760	2026-04-21 01:16	2026-04-20	表示	GitHub Exploit DB Packet Storm

128	4.0	MEDIUM ネットワーク	-	-	ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration). New	CWE-94 コード・インジェクション	CVE-2026-41282	2026-04-21 01:16	2026-04-20	表示	GitHub Exploit DB Packet Storm

129	5.9	MEDIUM ネットワーク	-	-	Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controll… New	CWE-22 パス・トラバーサル	CVE-2026-41245	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

130	5.8	MEDIUM ローカル	-	-	In JetBrains Junie before 252.549.29 command execution was possible via malicious project file Update	CWE-77 コマンドインジェクション	CVE-2026-41153	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

131	5.4	MEDIUM ネットワーク	b3log	siyuan	SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTM… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40922	2026-04-21 01:16	2026-04-17	表示	GitHub Exploit DB Packet Storm

132	-	-	-	-	radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in… Update	CWE-78 OSコマンド・インジェクション	CVE-2026-40499	2026-04-21 01:16	2026-04-15	表示	GitHub Exploit DB Packet Storm

133	8.9	HIGH ネットワーク	-	-	Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to t… Update	CWE-79 CWE-345 CWE-434 クロスサイト・スクリプティング（XSS）データの信頼性についての不十分な検証危険なタイプのファイルの無制限アップロード	CVE-2026-40487	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

134	9.3	CRITICAL ローカル	-	-	NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers with… Update	CWE-20 CWE-269 不適切な入力確認不適切な権限管理	CVE-2026-40317	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

135	-	-	-	-	free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether th… Update	CWE-285 CWE-636 不適切な認可安全でない失敗処理	CVE-2026-40248	2026-04-21 01:16	2026-04-17	表示	GitHub Exploit DB Packet Storm

136	7.5	HIGH ネットワーク	-	-	ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack bu… Update	CWE-121 スタックオーバーフロー	CVE-2026-40170	2026-04-21 01:16	2026-04-17	表示	GitHub Exploit DB Packet Storm

137	5.3	MEDIUM ネットワーク	-	-	Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By defau… New	CWE-533	CVE-2026-33558	2026-04-21 01:16	2026-04-20	表示	GitHub Exploit DB Packet Storm

138	9.1	CRITICAL ネットワーク	-	-	A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.… New	CWE-1285 入力で指定されたインデックス、位置、またはオフセットの不適切な検証	CVE-2026-33557	2026-04-21 01:16	2026-04-20	表示	GitHub Exploit DB Packet Storm

139	4.8	MEDIUM ネットワーク	-	-	Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass t… Update	CWE-305 CWE-319 根本の脆弱性による認証回避重要な情報の平文での送信	CVE-2026-33472	2026-04-21 01:16	2026-04-17	表示	GitHub Exploit DB Packet Storm

140	7.5	HIGH ネットワーク	-	-	UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue. Update	CWE-863 不正な認証	CVE-2026-32228	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

141	7.5	HIGH ネットワーク	-	-	Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php… Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-31317	2026-04-21 01:16	2026-04-17	表示	GitHub Exploit DB Packet Storm

142	8.8	HIGH ネットワーク	-	-	An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow ex… Update	CWE-77 コマンドインジェクション	CVE-2026-30898	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

143	8.8	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for… New	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-26944	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

144	9.8	CRITICAL ネットワーク	-	-	Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr… Update	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-25917	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

145	5.8	MEDIUM ネットワーク	-	-	Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL tha… New	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-25883	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

146	9.0	CRITICAL ネットワーク	-	-	OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's… New	CWE-640 パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み	CVE-2026-24467	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

147	7.2	HIGH ネットワーク	-	-	Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.1… New	CWE-78 OSコマンド・インジェクション	CVE-2026-23774	2026-04-21 01:16	2026-04-21	表示	GitHub Exploit DB Packet Storm

148	6.7	MEDIUM ローカル	-	-	A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement. Update	CWE-77 コマンドインジェクション	CVE-2026-21709	2026-04-21 01:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

149	5.3	MEDIUM ネットワーク	-	-	Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of inten… New	CWE-89 SQLインジェクション	CVE-2025-66335	2026-04-21 01:16	2026-04-20	表示	GitHub Exploit DB Packet Storm

150	4.3	MEDIUM ネットワーク	microsoft	windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_11_23h2 windows_11_24h2 windows_11_25h2 windows_11_26h1 windows_server_2012 windows_server_2016 w…	Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. Update	CWE-693 保護メカニズムの不具合	CVE-2026-32202	2026-04-21 00:32	2026-04-15	表示	GitHub Exploit DB Packet Storm