NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月22日4:00

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
301	8.8	HIGH ローカル	-	-	Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /b…	CWE-78 CWE-116 OSコマンド・インジェクション不適切なエンコード、または出力のエスケープ	CVE-2026-35582	2026-04-18 11:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

302	6.1	MEDIUM ネットワーク	-	-	The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-1838	2026-04-18 11:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

303	6.4	MEDIUM ネットワーク	-	-	The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization a…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-1559	2026-04-18 11:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

304	9.0	CRITICAL ローカル	-	-	NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address …	CWE-269 不適切な権限管理	CVE-2026-40572	2026-04-18 10:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

305	8.8	HIGH ネットワーク	-	-	Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use t…	CWE-863 不正な認証	CVE-2026-40350	2026-04-18 10:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

306	7.5	HIGH ネットワーク	-	-	SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Se…	CWE-36 CWE-73 絶対パストラバーサルファイル名やパス名の外部制御	CVE-2026-35465	2026-04-18 10:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

307	8.8	HIGH ネットワーク	-	-	Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=…	CWE-862 認証の欠如	CVE-2026-40349	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

308	5.3	MEDIUM ネットワーク	-	-	Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or…	CWE-400 CWE-834 リソースの枯渇過度なイテレーション	CVE-2026-40347	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

309	-	-	-	-	NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request ac…	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-40346	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

310	3.5	LOW 物理	-	-	libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input f…	CWE-126 バッファオーバーリード	CVE-2026-40341	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

311	6.1	MEDIUM 物理	-	-	libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The …	CWE-125 境界外読み取り	CVE-2026-40340	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

312	5.2	MEDIUM 物理	-	-	libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function read…	CWE-125 境界外読み取り	CVE-2026-40339	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

313	5.2	MEDIUM 物理	-	-	libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack…	CWE-125 境界外読み取り	CVE-2026-40338	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

314	5.1	MEDIUM ローカル	-	-	The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or IO capability is able to interact with another task…	CWE-283 未検証の所有権	CVE-2026-40337	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

315	2.4	LOW 物理	-	-	libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a se…	CWE-401 有効期限後のメモリの解放の欠如	CVE-2026-40336	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

316	5.2	MEDIUM 物理	-	-	libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_DPV()` in `camlibs/ptp2/ptp-pack.c` (lines 622–629). The UINT128 and I…	CWE-125 境界外読み取り	CVE-2026-40335	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

317	3.5	LOW 物理	-	-	libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The functi…	CWE-170 不適切な NULL による終了	CVE-2026-40334	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

318	6.1	MEDIUM 物理	-	-	libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded…	CWE-125 境界外読み取り	CVE-2026-40333	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

319	9.1	CRITICAL ネットワーク	-	-	Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A c…	CWE-674 不適切な再帰制御	CVE-2026-40324	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

320	-	-	-	-	SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 re…	CWE-345 CWE-354 データの信頼性についての不十分な検証データの整合性検証不備	CVE-2026-40323	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

321	7.5	HIGH ネットワーク	-	-	The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API en…	CWE-200 情報漏えい	CVE-2026-2262	2026-04-18 09:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

322	-	-	-	-	Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.	-	CVE-2026-5250	2026-04-18 08:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

323	4.3	MEDIUM ネットワーク	-	-	Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without chec…	CWE-915 動的に決定されたオブジェクト属性の不適切に制御された変更	CVE-2026-40486	2026-04-18 08:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

324	-	-	-	-	monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe sig…	CWE-400 リソースの枯渇	CVE-2026-40481	2026-04-18 08:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

325	5.4	MEDIUM ネットワーク	-	-	Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a us…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40479	2026-04-18 08:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

326	6.4	MEDIUM ネットワーク	-	-	The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanit…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-2434	2026-04-18 08:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

327	9.0	CRITICAL ネットワーク	-	-	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanism…	CWE-917 CWE-1336 言語構文の表現に使用される特殊な要素の不適切な無効化テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-40478	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

328	9.0	CRITICAL ネットワーク	-	-	Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. A…	CWE-917 CWE-1336 言語構文の表現に使用される特殊な要素の不適切な無効化テンプレートエンジンで使用される特殊な要素の不適切な無効化	CVE-2026-40477	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

329	-	-	-	-	graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response n…	CWE-407 アルゴリズムの複雑性	CVE-2026-40476	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

330	7.6	HIGH ネットワーク	-	-	wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead…	CWE-284 CWE-862 不適切なアクセス制御認証の欠如	CVE-2026-40474	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

331	8.8	HIGH ネットワーク	-	-	FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verific…	CWE-943 データクエリロジックの特殊要素の不適切な中立化	CVE-2026-40352	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

332	9.8	CRITICAL ネットワーク	-	-	FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attac…	CWE-943 データクエリロジックの特殊要素の不適切な中立化	CVE-2026-40351	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

333	8.0	HIGH ネットワーク	-	-	DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl…	CWE-87 代替 XSS 構文の不適切な無効化	CVE-2026-40321	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

334	-	-	-	-	DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affec…	CWE-330 不十分なランダム値の使用	CVE-2026-40306	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

335	4.3	MEDIUM ネットワーク	-	-	DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user cou…	CWE-285 不適切な認可	CVE-2026-40305	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

336	5.3	MEDIUM ネットワーク	-	-	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a …	CWE-284 CWE-863 不適切なアクセス制御不正な認証	CVE-2026-40304	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

337	9.1	CRITICAL ネットワーク	-	-	The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature…	CWE-22 パス・トラバーサル	CVE-2026-40258	2026-04-18 07:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

338	8.8	HIGH ネットワーク	chamilo	chamilo_lms	Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An at…	CWE-95 Evalインジェクション	CVE-2026-33618	2026-04-18 07:03	2026-04-11	表示	GitHub Exploit DB Packet Storm

339	7.8	HIGH ローカル	-	-	radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_pa…	CWE-78 OSコマンド・インジェクション	CVE-2026-40527	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

340	7.5	HIGH ネットワーク	-	-	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, cou…	CWE-400 CWE-789 リソースの枯渇過剰なサイズ値のメモリ割り当て	CVE-2026-40303	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

341	6.1	MEDIUM ネットワーク	-	-	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/…	CWE-79 CWE-116 クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープ	CVE-2026-40302	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

342	4.7	MEDIUM ネットワーク	-	-	DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() refe…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40301	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

343	-	-	-	-	next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and …	CWE-601 オープンリダイレクト	CVE-2026-40299	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

344	6.5	MEDIUM ネットワーク	-	-	OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabl…	CWE-200 情報漏えい	CVE-2026-40293	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

345	7.5	HIGH ネットワーク	-	-	WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) functi…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40286	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

346	6.8	MEDIUM ネットワーク	-	-	WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40284	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

347	-	-	-	-	WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the…	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40282	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

348	8.1	HIGH ネットワーク	-	-	HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group,…	CWE-708 不適切な所有権の割り当て	CVE-2026-40196	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

349	5.4	MEDIUM ネットワーク	-	-	The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the prox…	CWE-362 CWE-863 競合状態不正な認証	CVE-2026-40155	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

350	-	-	-	-	Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without va…	CWE-426 信頼性のない検索パス	CVE-2026-35603	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm