5625 matches found
JVN#84125369 Blogn vulnerable to cross-site request forgery
Blogn from R-ONE Computer is software for creating blogs. Blogn contains a cross-site request forgery vulnerability. Impact Contents created by Blogn may be editted or modified if the logged in user views a malicious web page. Solution Update the Software Apply the latest update provided by the...
JVN#05088443 CGI RESCUE WebFORM vulnerable to HTTP header injection
Impact Falsified information may be displayed or an arbitrary script may be executed on the user's web browser. Solution Products Affected WebFORM 4.3 and earlier According to the vendor's website, "Web Mailer" released from CGI RESCUE also contains a similar vulnerability...
WordPress plugin "Welcart e-Commerce" vulnerable to untrusted data deserialization
Overview WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains an untrusted data deserialization vulnerability CWE-502. Hiroshi Sawada of CrowdStrike Holdings, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#12824024: BUFFALO wireless LAN routers and wireless LAN repeaters vulnerable to OS command injection
Wireless LAN routers and wireless LAN repeaters provided by BUFFALO INC. contain an OS command injection vulnerability CWE-78. Impact If a user logs in to the management page and sends a specially crafted request to the affected product from the product's specific management page, an arbitrary OS...
JVN#61054671: Phormer vulnerable to cross-site scripting
Phormer contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Phormer version 3.35 was released...
JVN#35897618: GBrowse vulnerable to unrestricted upload of files with dangerous types
GBrowse provided by Generic Model Organism Database Project is a web-based genome browser. GBrowse allows the users to upload their own data in several file formats see "GBrowse User Uploads". The affected versions of GBrowse accept files with any formats uploaded CWE-434, and place them in the...
JVN#79149117: Multiple vulnerabilities in JustSystems products
Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below. Use After Free CWE-416 - CVE-2022-43664 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H| Base Score: 7.8 CVSS v2| AV:N/AC:M/Au:N/C:P/I:P/A:P| Base Score:...
JVN#78862034: BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the site using the API of the product. Solution Update the Software Update the software to the latest version according to the information...
JVN#29428319: WordPress Plugin "OG Tags" vulnerable to cross-site request forgery
WordPress Plugin "OG Tags" provided by Mário Valney contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according...
The installer of Digital Paper App may insecurely load Dynamic Link Libraries
Overview Digital Paper App provided by Sony Corporation is document management software exclusively for Sony Digital Paper. The installer of Digital Paper App contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT...
JVN#78482127: EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" vulnerable to cross-site scripting
EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" provided by Cyber-Will Inc. contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to th...
JVN#55801246: baserCMS plugin "Casebook Plugin" multiple vulnerabilities
baserCMS plugin "Casebook Plugin" contains multiple vulnerabilities: Cross-site scripting CWE-79 - CVE-2016-1169 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score: 4.0 Cross-site request forger...
JVN#02671769: phpRechnung vulnerable to SQL injection
phpRechnung is a web-based accounting software. list.php of phpRechnung contains an SQL injection CWE-89 vulnerability. Impact An authenticated attacker may obtain or alter information stored in the database. Solution Update the Software Update to the latest version according to the information...
JVN#75720314: Tiki Wiki CMS Groupware vulnerable to SQL injection
Tiki Wiki CMS Groupware Tiki is a content management system CMS. Tiki contains a SQL injection vulnerability. Impact An arbitrary SQL command may be executed in the database the product is referencing. Solution Apply an Update Apply the appropriate update for the version of the software being use...
JVN#69589791: Boat Browser / Boat Browser Mini vulnerable in the WebView class
Boat Browser and Boat Browser Mini are web browsers for Android devices. Boat Browser and Boat Browser Mini contain a vulnerability in the WebView class. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed...
JVN#16901583: ChaSen vulnerable to buffer overflow
ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow. ChaSen legacy project has inherited development of ChaSen since 11/8/2011. Impact An arbitrary...
JVN#92854093 Movable Type vulnerable to cross-site scripting
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#91591874 PEAK XOOPS piCal cross-site scripting vulnerability
piCal from PEAK XOOPS is a calendar module with a scheduler for XOOPS. piCal contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#67060882 sISAPILocation vulnerability bypasses HTTP header rewrite function
sISAPILocation, developed by an individual developer, is an ISAPI filter for IIS Internet Information Services. sISAPILocation contains a vulnerability that allows the HTTP header rewrite function to be bypassed. Impact When sISAPILocation is used to configure settings, such as to specify charact...
JVN#62399483 Overlay Weaver cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Solution Products Affected Overlay Weaver 0.5.9 - 0.5.11 For more information, refer to the vendor's website...
JVN#64227086 NewsGlue and Ikinari Jijyoutsuu arbitrary script execution vulnerability
Impact An arbitrary script could be executed in NewsGlue or Ikinari Jijyoutsuu. Arbitrary files on client PCs could be accessed by an attacker. Solution Products Affected NewsGlue 1.3.3 and earlier Ikinari Jijyoutsuu version 1.0.0 and 1.0.1...
JVN#32985115 Movable Type cross-site scripting vulnerability
Impact An arbitrary script could be executed on the user's web browser or the display of a web page could be falsified. In addition, an attacker may be able to access a user's cookie allowing them to view sensitive information or hijack an authenticated user's session. Solution Products Affected...
JVN#60776919 tDiary cross-site request forgery vulnerability
Impact If a user loads a malicious web page, an attacker could alter or delete the diary text or alter tDiary configurations. In addition, a remote attacker could execute an arbitrary script or command on the web server running tDiary with privileges of the tDiary user. Solution Products Affected...
Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)
Overview Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Use of Hard-coded Cryptographic Key in creating backup of configuration files CWE-321 - CVE-2026-25107 OS command injection in processing of pingipaddr parameter...
Multiple vulnerabilities in Trend Micro Endpoint security products for enterprises (February 2026)
Overview Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. Impact Remote code execution due to a directory traversal vulnerability...
JVN#65724976: WordPress Plugin "Forminator" vulnerable to cross-site scripting
WordPress Plugin "Forminator" provided by WPMU DEV assists building web forms. When accessing the page including the web form created with Forminator, some information from the URL may be embedded to the web form. This feature processes the embedded information improperly, leading to cross-site...
JVN#56648919: "Rakuten Ichiba App" fails to restrict custom URL schemes properly
"Rakuten Ichiba App" provided by Rakuten Group, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to...
JVN#74825766: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu, Inc. contains a cross-site scripting vulnerability in PDF preview CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by...
JVN#29471697: Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the...
SonicDICOM Media Viewer may insecurely load Dynamic Link Libraries
Overview SonicDICOM Media Viewer provided by Fujidenolo Solutions Co., Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Taihei Shimamine of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and...
JVN#69107517: TvRock vulnerable to cross-site scripting
TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user accessing the website th...
JVN#41129639: Payment EX vulnerable to information disclosure
Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version according ...
JVN#53880182: TVer App for Android fails to verify SSL server certificates
TVer App for Android provided by PRESENTCAST INC. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the...
JVN#20355129: niconico App for iOS fails to verify SSL server certificates
niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#74829345: Multiple Android devices vulnerable to denial-of-service (DoS)
Multiple Android devices contain an issue when referencing specific system area, which may lead to a denial-of-service DoS. Impact The device may crash as a result of accessing a specific file. Solution Update the software Update to the latest version according to the information provided by the...
JVN#36673836: Movable Type vulnerable to cross-site scripting
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#31723154 LacoodaST from SpaceTag, Inc. session fixation vulnerability
LacoodaST from SpaceTag, Inc. is groupware providing schedule and task managements, etc. LacoodaST contains a session fixation vulnerability. Impact A remote attacker impersonating a logged in user could manipulate the operation with the user's privilege. As a result, disclosure or alteration of...
JVN#72065744 K's CGI Access Log Kaiseki (Jcode.pm) vulnerable to cross-site scripting
K's CGI Access Log Kaiseki is a program to analyze access to a web page. analysis.cgi included in Access Log Kaiseki Jcode.pm contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update...
JVN#89292430 Cross-site scripting in Sun Java System Web Server and Sun Java System Web Proxy Server
Sun Java System Web Server and Sun Java System Web Proxy Server, which are both web servers, provide a function for a user to view access logs and other records in a web browser. This function is vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web...
JVN#99453765 Cross-site scripting vulnerability in updir.php in UPDIR.NET
updir.php from UPDIR.NET is software for publishing and managing image files, etc. on web servers. By installing updir.php on a web server, users are able to upload image files, etc. on the web server and publish and manage the uploaded files. updir.php contains a cross-site scripting vulnerabili...
JVN#50495547 Ichitaro series buffer overflow vulnerability
The "Ichitaro" series word processing software, from JustSystems Corporation, contains a buffer overflow vulnerability. If a user opens a specially crafted jtd file or views it on a web browser, an attacker could execute arbitrary code with the privileges of the user. Impact An attacker could...
JVN#90438169 RaidenHTTPD cross-site scripting vulnerability
RaidenHTTPD is a multipurpose web server for Windows provided by TEAM JOHNLONG. RaidenHTTPD contains a cross-site scripting vulnerability. Impact Arbitrary code could be executed on the user's web browser. Solution Update the Software Apply the update provided by the vendor. For more information,...
JVN#47272891 Hanako buffer overflow vulnerability
Impact An arbitrary code could be executed on the PCs of Hanako user, if the user opens a specially crafted Hanako file sent by a remote attacker. Solution Products Affected Hanako 2004 Hanako 2005 Hanako 2006 Hanako Viewer 1.0 For more information, refer to the vendor's website...
JVN#63999575 NEC MultiWriter 1700C web server authentication bypass vulnerability
Impact A remote attacker could change the system configuration of the printer's built-in web server. Solution Products Affected NEC MultiWriter 1700C model number: PR-L1700C Network Expansion Card PR-L1700C-MC For more information, refer to the vendor's website...
JVN#35274905 FreeStyleWiki cross-site scripting vulnerability
Impact An rbitrary script may be executed on the user's web browser. In addition, if session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected FreeStyleWiki 3.5.10 and earlier...
JVN#15243167 Problem with referer header handling on mobile phone web browsers
Impact Referer information may be unintendedly sent to a server under certain operating conditions. Solution Products Affected For more information, refer to the vendors' websites...
JVN#29273468 QRcode Perl CGI & PHP script vulnerable to denial of service attack
Impact A remote attacker may cause a denial of service DoS attack. Solution Products Affected QRcode Perl/CGI & PHP script ver. 0.50f and earlier including both Perl versions and PHP versions...
Security information for Hitachi Disk Array Systems
Overview CVE-2026-23667 | Broadcast DVR Elevation of Privilege Vulnerability CVE-2026-23668 | Windows Graphics Component Elevation of Privilege Vulnerability CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Elevati...
GROWI vulnerable to path traversal
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Path traversal CWE-22 - CVE-2026-41951 GROWI, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and GROWI, Inc. coordinated under the Information Security Early Warning...
Multiple vulnerabilities in multiple Keyence products
Overview Multiple products provided by KEYENCE CORPORATION contain multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2025-58775, CVE-2025-58776 Access of uninitialized pointer CWE-824 - CVE-2025-58777 Buffer underflow CWE-124 - CVE-2025-61690 Out-of-bounds read...