NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月22日4:00

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
351	-	-	-	-	xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-con…	CWE-122 ヒープオーバーフロー	CVE-2026-35512	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

352	-	-	-	-	mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentia…	CWE-284 不適切なアクセス制御	CVE-2026-35402	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

353	-	-	-	-	xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger…	CWE-125 境界外読み取り	CVE-2026-33689	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

354	6.3	MEDIUM ネットワーク	-	-	xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrd…	CWE-78 OSコマンド・インジェクション	CVE-2026-33145	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

355	-	-	-	-	Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates …	CWE-78 OSコマンド・インジェクション	CVE-2026-23500	2026-04-18 06:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

356	7.5	HIGH ネットワーク	-	-	Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-40461	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

357	8.1	HIGH 隣接	-	-	Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.	CWE-940 通信チャネルの送信元の不適切な検証	CVE-2026-40434	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

358	9.9	CRITICAL ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a files…	CWE-22 CWE-73 CWE-94 CWE-427 パス・トラバーサルファイル名やパス名の外部制御コード・インジェクション制御されていない検索パスの要素	CVE-2026-40342	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

359	6.8	MEDIUM ネットワーク	-	-	WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-40283	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

360	8.8	HIGH ネットワーク	-	-	Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.	CWE-494 ダウンロードしたコードの完全性検証不備	CVE-2026-40066	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

361	8.8	HIGH ネットワーク	-	-	Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.	CWE-77 コマンドインジェクション	CVE-2026-35682	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

362	9.8	CRITICAL ネットワーク	-	-	Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.	CWE-306 重要な機能に対する認証の欠如解説	CVE-2026-35546	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

363	7.5	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a…	CWE-369 ゼロ除算	CVE-2026-35215	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

364	5.3	MEDIUM ネットワーク	-	-	Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.	CWE-862 認証の欠如	CVE-2026-35061	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

365	7.5	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding…	CWE-228 不正な構文構造の不適切な処理	CVE-2026-34232	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

366	6.5	MEDIUM ネットワーク	-	-	Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.	CWE-319 重要な情報の平文での送信	CVE-2026-33569	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

367	-	-	-	-	xrdp is an open source RDP server. Versions through 0.10.5 contain an out-of-bounds read vulnerability during the RDP capability exchange phase. The issue occurs when memory is accessed before valida…	CWE-125 境界外読み取り	CVE-2026-33516	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

368	5.3	MEDIUM ネットワーク	-	-	Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment.	CWE-862 認証の欠如	CVE-2026-33093	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

369	7.5	HIGH ネットワーク	-	-	Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling unauthorized database …	CWE-757 アルゴリズムのダウングレード	CVE-2026-32650	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

370	5.3	MEDIUM ネットワーク	-	-	Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device.	CWE-862 認証の欠如	CVE-2026-32648	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

371	-	-	-	-	xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in its logon processing. In environments where domain_user_separator is configured in xrd…	CWE-122 ヒープオーバーフロー	CVE-2026-32624	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

372	-	-	-	-	xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the mo…	CWE-122 ヒープオーバーフロー	CVE-2026-32623	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

373	7.7	HIGH ローカル	-	-	Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at s…	CWE-321 ハードコードされた暗号鍵の使用	CVE-2026-32324	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

374	8.8	HIGH ローカル	-	-	xrdp is an open source RDP server. In versions through 0.10.5, the session execution component did not properly handle an error during the privilege drop process. This improper privilege management c…	CWE-273 削除された特権に対する不適切なチェック	CVE-2026-32107	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

375	-	-	-	-	xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code (MAC) signature of encrypted RDP packets when using the "Classi…	CWE-354 データの整合性検証不備	CVE-2026-32105	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

376	4.9	MEDIUM ネットワーク	-	-	Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with deb…	CWE-23 相対的パストラバーサル	CVE-2026-31927	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

377	8.2	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, …	CWE-476 NULL ポインタデリファレンス	CVE-2026-28224	2026-04-18 05:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

378	5.1	MEDIUM ローカル	huawei	harmonyos	Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.	CWE-120 古典的バッファオーバーフロー	CVE-2026-34866	2026-04-18 04:26	2026-04-13	表示	GitHub Exploit DB Packet Storm

379	9.1	CRITICAL ネットワーク	huawei	harmonyos	Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.	CWE-122 ヒープオーバーフロー	CVE-2026-34865	2026-04-18 04:25	2026-04-13	表示	GitHub Exploit DB Packet Storm

380	5.7	MEDIUM ローカル	huawei	harmonyos emui	Out-of-bounds write vulnerability in the kernel module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.	CWE-20 不適切な入力確認	CVE-2026-34855	2026-04-18 04:25	2026-04-13	表示	GitHub Exploit DB Packet Storm

381	5.6	MEDIUM ローカル	huawei	harmonyos	Double free vulnerability in the multi-mode input system. Impact: Successful exploitation of this vulnerability may affect availability.	CWE-415 二重解放	CVE-2026-34867	2026-04-18 04:24	2026-04-13	表示	GitHub Exploit DB Packet Storm

382	3.5	LOW ネットワーク	heatmiser	wifi_thermostat	Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious r…	CWE-352 同一生成元ポリシー違反	CVE-2019-25708	2026-04-18 04:17	2026-04-12	表示	GitHub Exploit DB Packet Storm

383	7.1	HIGH ネットワーク	ebrigade	ebrigade	eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can sen…	CWE-89 SQLインジェクション	CVE-2019-25707	2026-04-18 04:17	2026-04-12	表示	GitHub Exploit DB Packet Storm

384	7.8	HIGH ローカル	interference-security	echo_mirage	Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action fiel…	CWE-787 境界外書き込み	CVE-2019-25705	2026-04-18 04:16	2026-04-12	表示	GitHub Exploit DB Packet Storm

385	6.5	MEDIUM ネットワーク	-	-	Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creati…	CWE-88 引数の挿入または変更	CVE-2026-6437	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

386	9.1	CRITICAL ネットワーク	-	-	OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration…	CWE-636 安全でない失敗処理	CVE-2026-40525	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

387	7.5	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cs…	CWE-120 CWE-502 古典的バッファオーバーフロー信頼性のないデータのデシリアライゼーション	CVE-2026-33337	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

388	-	-	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when …	CWE-190 CWE-835 整数オーバーフローまたはラップアラウンド無限ループ	CVE-2026-28214	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

389	7.5	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared stru…	CWE-476 NULL ポインタデリファレンス	CVE-2026-28212	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

390	8.2	HIGH ネットワーク	-	-	Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes s…	CWE-119 CWE-787 バッファエラー境界外書き込み	CVE-2026-27890	2026-04-18 04:16	2026-04-18	表示	GitHub Exploit DB Packet Storm

391	7.5	HIGH ネットワーク	apache	airflow	Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. So…	CWE-532 ログファイルからの情報漏えい	CVE-2025-66236	2026-04-18 03:41	2026-04-14	表示	GitHub Exploit DB Packet Storm

392	8.8	HIGH ネットワーク	apache	airflow	Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr…	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-33858	2026-04-18 03:40	2026-04-14	表示	GitHub Exploit DB Packet Storm

393	9.1	CRITICAL ネットワーク	apache	apisix	Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2…	CWE-75 特殊要素の不適切なサニタイジング	CVE-2026-31908	2026-04-18 03:40	2026-04-14	表示	GitHub Exploit DB Packet Storm

394	7.5	HIGH ネットワーク	apache	apisix	Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue af…	CWE-319 重要な情報の平文での送信	CVE-2026-31923	2026-04-18 03:39	2026-04-14	表示	GitHub Exploit DB Packet Storm

395	5.3	MEDIUM ネットワーク	apache	apisix	Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users …	CWE-319 重要な情報の平文での送信	CVE-2026-31924	2026-04-18 03:38	2026-04-14	表示	GitHub Exploit DB Packet Storm

396	8.1	HIGH ネットワーク	apache	airflow	The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify …	CWE-94 コード・インジェクション	CVE-2025-54550	2026-04-18 03:38	2026-04-15	表示	GitHub Exploit DB Packet Storm

397	6.5	MEDIUM ネットワーク	apache	airflow	The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, a…	CWE-200 情報漏えい	CVE-2026-25219	2026-04-18 03:37	2026-04-15	表示	GitHub Exploit DB Packet Storm

398	10.0	CRITICAL ネットワーク	praison	praisonai	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (succe…	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-40114	2026-04-18 03:36	2026-04-10	表示	GitHub Exploit DB Packet Storm

399	7.5	HIGH ネットワーク	praison	praisonai	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length…	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-40115	2026-04-18 03:34	2026-04-10	表示	GitHub Exploit DB Packet Storm

400	7.5	HIGH ネットワーク	praison	praisonai	PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signatu…	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-40116	2026-04-18 03:33	2026-04-10	表示	GitHub Exploit DB Packet Storm