5625 matches found
JVN#30900552: EC-CUBE plugin "Product Image Bulk Upload Plugin" vulnerable to insufficient verification in uploading files
EC-CUBE plugin "Product Image Bulk Upload Plugin", a plugin that enables to upload image files, provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files CWE-20. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary...
JVN#87683137: Norton Security for Mac improperly processes ICMP packets
Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Impact An unprivileged user may cause a denial-of-service DoS condition on the OS. Solution Update the Software Update...
The installer of Digital Paper App may insecurely load Dynamic Link Libraries
Overview Digital Paper App provided by Sony Corporation is document management software exclusively for Sony Digital Paper. The installer of Digital Paper App contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT...
JVN#49408248: OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the language selection screen. Impact An arbitrary script may be executed on the user's web browser. Solution For the users who have installed OneThird CMS already: Update th...
H2O use-after-free vulnerability
Overview H2O is an open source web server software. H2O contains a use-after-free vulnerability CWE-416 due to a flaw in the process of upgrading from HTTP/1 to HTTP/2. Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated...
JVN#88559134: SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal
Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Impact A remote attacker may obtain arbitrary files on the server. Solution Update the Software Update to the latest version according to the informatio...
JVN#27531188: Cakifo vulnerable to cross-site scripting
Cakifo is a theme for WordPress. Cakifo contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the theme Update to the latest version according to the information provided by the developer. Products Affected Cakifo 1.0 ...
JVN#22670349: AndExplorer vulnerable to directory traversal
AndExplorer provided by LYSESOFT contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#88313872: ZIP with Pass vulnerable to directory traversal
ZIP with Pass provided by aokitaka contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#52264310: MosP kintai kanri vulnerable to authentication bypass
MosP kintai kanri is an open source attendance management software. MosP kintai kanri contains an authentication bypass vulnerability. Impact An attacker with a MosP kintai kanri account may impersonate another user. As a result, information may be obtained and settings may be altered with the...
JVN#18397171: FeedDemon vulnerable to arbitrary script execution
FeedDemon is an RSS/Atom feed reader. FeedDemon is vulnerable to arbitrary script execution due to the improper processing during HTML page output based on feed information when using the "feed preview" option. Impact An arbitrary script embedded in an RSS/Atom feed may be executed on the user's...
JVN#38216398: osCommerce vulnerable to directory traversal
osCommerce is an open source system for creating shopping websites. osCommerce contains a directory traversal vulnerability. Impact A remote attacker may access arbitrary files on the server. Solution Update the software Update to the latest version according to the information provided by the...
JVN#92854093 Movable Type vulnerable to cross-site scripting
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#38687002 Compiere vulnerable to cross-site scripting
Compiere provided by Almas Inc. is an Enterprise Resource Planning ERP and Customer Relationship Management CRM software. Compiere contains a cross-site scripting vulnerability. This vulnerability is different from JVN57963254. Impact An arbitrary script may be executed on the user's web browser...
JVN#74747784 XOOPS Cube Legacy cross-site scripting vulnerability
XOOPS Cube Legacy from XOOPS Cube Project is an open source contents management system. XOOPS Cube Legacy contains a cross-site scripting vulnerability. According to the developers, a XOOPS Cube Legacy distribution "Hodajuku distribution" and "additional modules" are not affected by this...
JVN#91591874 PEAK XOOPS piCal cross-site scripting vulnerability
piCal from PEAK XOOPS is a calendar module with a scheduler for XOOPS. piCal contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#84125369 Blogn vulnerable to cross-site request forgery
Blogn from R-ONE Computer is software for creating blogs. Blogn contains a cross-site request forgery vulnerability. Impact Contents created by Blogn may be editted or modified if the logged in user views a malicious web page. Solution Update the Software Apply the latest update provided by the...
JVN#05088443 CGI RESCUE WebFORM vulnerable to HTTP header injection
Impact Falsified information may be displayed or an arbitrary script may be executed on the user's web browser. Solution Products Affected WebFORM 4.3 and earlier According to the vendor's website, "Web Mailer" released from CGI RESCUE also contains a similar vulnerability...
Multiple vulnerabilities in Trend Micro Endpoint security products for enterprises (February 2026)
Overview Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. Impact Remote code execution due to a directory traversal vulnerability...
Multiple vulnerabilities in multiple Keyence products
Overview Multiple products provided by KEYENCE CORPORATION contain multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2025-58775, CVE-2025-58776 Access of uninitialized pointer CWE-824 - CVE-2025-58777 Buffer underflow CWE-124 - CVE-2025-61690 Out-of-bounds read...
JVN#61054671: Phormer vulnerable to cross-site scripting
Phormer contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Phormer version 3.35 was released...
SonicDICOM Media Viewer may insecurely load Dynamic Link Libraries
Overview SonicDICOM Media Viewer provided by Fujidenolo Solutions Co., Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Taihei Shimamine of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and...
JVN#35897618: GBrowse vulnerable to unrestricted upload of files with dangerous types
GBrowse provided by Generic Model Organism Database Project is a web-based genome browser. GBrowse allows the users to upload their own data in several file formats see "GBrowse User Uploads". The affected versions of GBrowse accept files with any formats uploaded CWE-434, and place them in the...
JVN#78862034: BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the site using the API of the product. Solution Update the Software Update the software to the latest version according to the information...
JVN#29428319: WordPress Plugin "OG Tags" vulnerable to cross-site request forgery
WordPress Plugin "OG Tags" provided by Mário Valney contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according...
Multiple vulnerabilities in I-O DATA WN-AX1167GR
Overview WN-AX1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AX1167GR contains multiple vulnerabilities listed below. Hard-coded credentials CWE-798 - CVE-2017-2280 OS command injection CWE-78 - CVE-2017-2281 Buffer overflow CWE-119 - CVE-2017-2282 Taizoh Tsukamoto of Mitsu...
JVN#78482127: EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" vulnerable to cross-site scripting
EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" provided by Cyber-Will Inc. contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to th...
JVN#55801246: baserCMS plugin "Casebook Plugin" multiple vulnerabilities
baserCMS plugin "Casebook Plugin" contains multiple vulnerabilities: Cross-site scripting CWE-79 - CVE-2016-1169 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score: 4.0 Cross-site request forger...
JVN#02671769: phpRechnung vulnerable to SQL injection
phpRechnung is a web-based accounting software. list.php of phpRechnung contains an SQL injection CWE-89 vulnerability. Impact An authenticated attacker may obtain or alter information stored in the database. Solution Update the Software Update to the latest version according to the information...
JVN#75720314: Tiki Wiki CMS Groupware vulnerable to SQL injection
Tiki Wiki CMS Groupware Tiki is a content management system CMS. Tiki contains a SQL injection vulnerability. Impact An arbitrary SQL command may be executed in the database the product is referencing. Solution Apply an Update Apply the appropriate update for the version of the software being use...
JVN#69589791: Boat Browser / Boat Browser Mini vulnerable in the WebView class
Boat Browser and Boat Browser Mini are web browsers for Android devices. Boat Browser and Boat Browser Mini contain a vulnerability in the WebView class. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed...
JVN#74829345: Multiple Android devices vulnerable to denial-of-service (DoS)
Multiple Android devices contain an issue when referencing specific system area, which may lead to a denial-of-service DoS. Impact The device may crash as a result of accessing a specific file. Solution Update the software Update to the latest version according to the information provided by the...
cforms II vulnerable to cross-site scripting
Overview cforms II contains a cross-site scripting vulnerability. cforms II provided by delicious days is a plugin for WordPress. cforms II contains a cross-site scripting vulnerability. Kousuke Ebihara and Yuya Watanabe of Tejimaya.inc reported this vulnerability to IPA. JPCERT/CC coordinated wi...
JVN#16901583: ChaSen vulnerable to buffer overflow
ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow. ChaSen legacy project has inherited development of ChaSen since 11/8/2011. Impact An arbitrary...
JVN#36673836: Movable Type vulnerable to cross-site scripting
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#67060882 sISAPILocation vulnerability bypasses HTTP header rewrite function
sISAPILocation, developed by an individual developer, is an ISAPI filter for IIS Internet Information Services. sISAPILocation contains a vulnerability that allows the HTTP header rewrite function to be bypassed. Impact When sISAPILocation is used to configure settings, such as to specify charact...
JVN#89292430 Cross-site scripting in Sun Java System Web Server and Sun Java System Web Proxy Server
Sun Java System Web Server and Sun Java System Web Proxy Server, which are both web servers, provide a function for a user to view access logs and other records in a web browser. This function is vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web...
JVN#92832583 Advance-Flow cross-site scripting vulnerability
Advance-Flow provided by OSK Co. LTD contains a cross-site scripting vulnerability, as it does not properly handle output data. Some application forms are not affected by this vulnerability and some are, depending on the contents of the application forms. Impact An arbitrary script may be execute...
JVN#62399483 Overlay Weaver cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Solution Products Affected Overlay Weaver 0.5.9 - 0.5.11 For more information, refer to the vendor's website...
JVN#64227086 NewsGlue and Ikinari Jijyoutsuu arbitrary script execution vulnerability
Impact An arbitrary script could be executed in NewsGlue or Ikinari Jijyoutsuu. Arbitrary files on client PCs could be accessed by an attacker. Solution Products Affected NewsGlue 1.3.3 and earlier Ikinari Jijyoutsuu version 1.0.0 and 1.0.1...
JVN#32985115 Movable Type cross-site scripting vulnerability
Impact An arbitrary script could be executed on the user's web browser or the display of a web page could be falsified. In addition, an attacker may be able to access a user's cookie allowing them to view sensitive information or hijack an authenticated user's session. Solution Products Affected...
JVN#60776919 tDiary cross-site request forgery vulnerability
Impact If a user loads a malicious web page, an attacker could alter or delete the diary text or alter tDiary configurations. In addition, a remote attacker could execute an arbitrary script or command on the web server running tDiary with privileges of the tDiary user. Solution Products Affected...
Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)
Overview Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Use of Hard-coded Cryptographic Key in creating backup of configuration files CWE-321 - CVE-2026-25107 OS command injection in processing of pingipaddr parameter...
Multiple vulnerabilities in V-SFT
Overview V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Free of Pointer not at Start of Buffer in VS6EditData.dll!CWinFontInf::WinFontMsgCheck function CWE-761 CVE-2025-47749 Out-of-bounds Write in VS6MemInIF!settemptypedefault function CWE-787...
JVN#65724976: WordPress Plugin "Forminator" vulnerable to cross-site scripting
WordPress Plugin "Forminator" provided by WPMU DEV assists building web forms. When accessing the page including the web form created with Forminator, some information from the URL may be embedded to the web form. This feature processes the embedded information improperly, leading to cross-site...
JVN#56648919: "Rakuten Ichiba App" fails to restrict custom URL schemes properly
"Rakuten Ichiba App" provided by Rakuten Group, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to...
JVN#26225832: EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting
EC-CUBE plugin for EC-CUBE 4 series "EC-CUBE Web API Plugin" provided by EC-CUBE CO.,LTD. contains a stored cross-site scripting vulnerability CWE-79 in OAuth Management feature. Impact When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the...
JVN#74825766: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu, Inc. contains a cross-site scripting vulnerability in PDF preview CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by...
JVN#29471697: Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the...
JVN#69107517: TvRock vulnerable to cross-site scripting
TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user accessing the website th...