5627 matches found
JVN#86206017: WordPress Plugin "easy-popup-show" vulnerable to cross-site request forgery
WordPress Plugin "easy-popup-show" provided by Ari Susanto contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Stop using the plugin The developer...
JVN#13113728: "EasyRange" may insecurely load executable files
"EasyRange" provided by sira.jp according to the original report submitted by the reporter is a tool to extract compressed files. "EasyRange" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides ...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the management screen CWE-79 - CVE-2023-49117 Open redirect vulnerability in the members' site CWE-601 - CVE-2023-50297 Alfasado Inc. reported these...
JVN#73178249: Improper restriction of XML external entity references (XXE) in Shinseiyo Sogo Soft
Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. Solution Update the Software Update the software to the latest...
JVN#36340790: JB Inquiry form vulnerable to exposure of private personal information to an unauthorized actor
JB Inquiry form provided by Jubei Inc. contains an exposure of private personal information to an unauthorized actor vulnerability CWE-359 . Impact A remote attacker may obtain information entered from forms created using the affected product. Solution Update the Software Update to the latest...
Installers of Sony PaSoRi related software may insecurely load Dynamic Link Libraries
Overview PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab...
WordPress plugin "Multi Feed Reader" vulnerable to SQL injection
Overview The WordPress plugin "Multi Feed Reader" contains an SQL injection vulnerability CWE-89. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker who...
JVN#26026353: WordPress plugin "Markdown on Save Improved" vulnerable to cross-site scripting
The WordPress plugin "Markdown on Save Improved" contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer. While the...
JVN#65668004: Dotclear vulnerable to cross-site scripting
Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Impact If a user views a specially crafted page while logged in, an arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#81094176: Android OS may behave as an open resolver
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Android OS contains an issue where it may behave as an open resolver when the tethering function is enabled. Impact The Android device may be used in a DNS...
JVN#54775800: FAST/TOOLS vulnerable to improper restriction of XML external entity references
FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity XXE references are not properly restricted CWE-611. Impact When opening a project with a specially crafted XML file, information managed by the product may be disclosed or may become a victim o...
JVN#64764004: Clipboard contents alteration vulnerability in Sleipnir
Sleipnir, a web browser provided by Fenrir, contains a vulnerability in which the contents of the clipboard may be altered. As a result, when Sleipnir is being used under certain settings, the contents of the clipboard may be read or written from a website. Impact Contents contained in the...
JVN#80436657 Webservice-DIC yoyaku_v41 vulnerable to command injection
yoyakuv41 from Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains a command injection vulnerability. Impact An arbitrary command could be executed with the privilege of the server where yoyakuv41 runs. Solution Update the Software Update to the latest version...
lv Arbitrary Command Execution Vulnerability
Overview lv contains a vulnerability of reading and running a .lv file in the current directry. Impact An attacker could execute arbitrary command as other users with the privilege of the user running lv. Solution Please refer to the 'Vendor Information' section of this advisory for official...
JVN#95014590 Zimbra Collaboration Suite script execution vulnerability
Zimbra Collaboration Suite is a web collaboration tool that provides calendar, address book, webmail, and other functions. Zimbra Collaboration Suite 4.0.3 and 4.5.6 contain a vulnerability that could allow a remote attacker to execute an arbitrary script on the user's web browser. Impact If a us...
JVN#02854109 HttpLogger vulnerable to cross-site scripting
Klab HttpLogger is full-text search software for web browser histories. HttpLogger is vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the developer. For more information, ref...
JVN#71872818 AirStation series and BroadStation series vulnerable to cross-site request forgery
Buffalo's AirStation series and BroadStation series routers have a web administration interface that can be accessed from a web browser to configure their functional settings. The web administration interface is vulnerable to cross-site request forgery. Impact If the administrator of such a produ...
JVN#08951968 MailDwarf vulnerability allows unauthorized sending of emails
Impact A remote attacker may be able to send unsolicited mails to arbitrary email addresses. Solution Products Affected MailDwarf ver3.01 or earlier...
JVN#21125043 Blogn cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. In addition, if session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected Blogn v1.9.3 and earlier...
JVN#79484135 Joomla! cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected Joomla! 1.0.8 and earlier...
JVN#46630603 MDPro cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. In addition, if session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected MDPro version 1.0.76 and earlier...
JVN#01137722 Owl cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. As a result, web pages could be spoofed. Solution Products Affected Owl version 0.90 and earlier...
JVN#92975133 Loudblog cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly condust session hijacking. Solution Products Affected Loudblog 0.44 and earlier...
JVN#98836916 Wiki clone products vulnerable to denial of service attacks
Impact A remote attacker could execute a DoS denial of service attack. Solution Products Affected For more information, refer to the vendors' websites...
JVN#39188922 dotProject cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. In particular, if session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected dotProject 2.0.3 and earlier...
JVN#84775942 Multiple email clients vulnerable to directory traversal due to inappropriate unicode handling
Impact Actual impact could differ depending on the email clients though, an attacker coulld possibly forge a file name or a email client could handle a file inappropriately which may result in a file being overwritten or an arbitray file being created and saved in an arbitrary directory. Solution...
Multiple TP-Link products vulnerable to cleartext transmission of sensitive information
Overview Multiple TP-Link products provided by TP-Link Systems Inc. contain the following vulnerability. Cleartext transmission of sensitive information CWE-319 - CVE-2026-34126 eyegrep and izurina of L Plus LLC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865,...
Movable Type vulnerable to missing authorization
Overview Movable Type provided by Six Apart Ltd. contains the following vulnerability. Missing authorization CWE-862 - CVE-2026-44392 Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information...
Bytello Share (Windows Edition) installer executable insecurely loads Dynamic Link Libraries
Overview GUARDIANWALL MailSuite provided by Canon Marketing Japan Inc. contains the following vulnerability. Stack-based buffer overflow in pop3wallpasswd command CWE-121 - CVE-2026-32661 The developer states that attacks exploiting the vulnerability has been observed in GUARDIANWALL MailSuite...
Canon Production Printers and Office Multifunction Printers vulnerable to information disclosure
Overview Canon Production Printers and Office Multifunction Printers contain the following vulnerability. Reliance on untrusted inputs in a security decision CWE-807 - CVE-2026-1789 Canon Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If an...
JVN#17260367: Multiple vulnerabilities in JTEKT ELECTRONICS CORPORATION's products
HMI ViewJet C-more series and HMI GC-A2 series provided by JTEKT ELECTRONICS CORPORATION contain multiple vulnerabilities listed below. Improper Restriction of Rendered UI Layers or Frames CWE-1021 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2025-24310 Allocation of Resources...
JVN#66982699: a-blog cms vulnerable to untrusted data deserialization
a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability CWE-502. The developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later. Impact Processing a specially crafted request may store arbitrary files on...
JVN#80527854: Multiple vulnerabilities in FileMegane
FileMegane provided by JIP InfoBridge Co., Ltd. contains multiple vulnerabilities listed below. Server-Side Request Forgery SSRF CWE-918 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Base Score 7.2 CVE-2025-20075 Authentication Bypass by Spoofing(CWE-290) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A...
JVN#29238389: IPCOM vulnerable to information disclosure
SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability due to observable timing discrepancy CWE-208. Impact Some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication...
JVN#51135247: Pleasanter vulnerable to cross-site scripting
Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Impact If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user. Solution Update t...
WordPress Plugin "Software License Manager" vulnerable to cross-site request forgery
Overview WordPress Plugin "Software License Manager" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Koken Tokuda of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University. reported this vulnerability to...
Backdoor access issue in Wi-Fi STATION L-02F
Overview Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. contains a backdoor access issue. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC...
JVN#20459920: Microsoft Office discloses a file path of a local file
When a file such as a clipart or an image is inserted in Office documents, the absolute path of the local file is stored in "alternative text". Impact An attacker may obtain information about the file system or the user name through Office documents. Solution Upgrade the Software Upgrade to the...
JVN#62507275: Multiple broadband routers may behave as open resolvers
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Multiple broadband routers may contain an issue where they may behave as open resolvers. Impact The device may be used in a DNS amplification attack and...
JVN#34729123 Explzh buffer overflow vulnerability
Explzh, a file compression/decompression software supporting multiple compression file formats, contains a buffer overflow vulnerability when processing a LHA file header. Impact When processing a specially crafted LHA file, a remote attacker may be able to execute arbitrary code. Solution Update...
JVN#09872874 Movable Type access restriction bypass vulnerability
Movable Type, a web log system from Six Apart KK, contains a vulnerability that allows a remote attacker to bypass access restrictions. This vulnerability is different from JVN08369659. Impact A remote attacker may view or modify information stored by Movable Type. Solution Update the Software...
JVN#74468481 Lhaplus buffer overflow vulnerability
Lhaplus, file compression/decompression software supporting multiple compression file formats, contains a buffer overflow vulnerability. If a user decompresses a specially crafted file, an attacker could execute arbitrary code with the privilege of the user. This vulnerability is different from...
JVN#58803701 DesignForm cross-site scripting vulnerability
DesignForm is a mail form CGI provided by GNB. It is used to send mail from a form on a web page. A cross-site scripting vulnerabiltiy exists in DesignForm. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to...
JVN#38199598 Mayaa cross-site scripting vulnerability
Mayaa from the Seasar Project is an open source Java template engine. A cross-site scripting vulnerability exists in Mayaa. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Apply the latest updates provided by the vendor. For more information, ref...
JVN#62334841 Shihonkanri Plus Ver2 GOOUT directory traversal vulnerability
Impact A remote attacker could access files on the server on which Shihonkanri Plus Ver2 GOOUT is installed without authentication. This could lead to unintentional disclosure of file contents. Solution Products Affected Shihonkanri Plus Ver2 GOOUT Ver2.1.7 and earlier...
JVN#93700808 Sleipnir RSS bar vulnerable in handling RSS data in an inappropriate security zone
Impact An arbitrary script could be executed in an inappropriate security zone. Solution Products Affected Sleipnir 2.49 and earlier Portable Sleipnir 2.45 and earlier RSS bar for Sleipnir 1.28 Release3 and earlier...
JVN#46691257 RWiki arbitrary Ruby script execution vulnerability
Impact A remote attacker could execute an arbitrary Ruby script on the server where RWiki is installed, with the privilege running RWiki. Solution Products Affected RWiki/2.1.0pre2 and all earlier versions...
JVN#41550845 Nagasaki Electronic Prefectural Office System SQL injection vulnerability
Impact A remote attacker may view or modify the database contents. Solution Products Affected Nagasaki Electronic Prefectural Office System's annual leave management system Nagasaki Electronic Prefectural Office System's staff directry system Nagasaki Electronic Prefectural Office System's docume...
Lhaz and Lhaz+ vulnerable to path traversal
Overview Lhaz and Lhaz+ provided by Chitora soft contain the following vulnerability. Path traversal CWE-22 - CVE-2026-41530 RyotaK of GMO Flatt Security Inc. and Rei Yano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...