5627 matches found
Command injection vulnerability in ASUS routers
Overview Multiple routers provided by ASUSTeK COMPUTER INC. contain command injection vulnerability in AiCloud. Command injection CWE-77 - CVE-2025-2492 NICTER Analysis Team of Cybersecurity Research Institute, National Institute of Information and Communications Technology reported this...
JVN#41633999: Obsidian GitHub Copilot Plugin stores sensitive information in cleartext
Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur is vulnerable to the following vulnerability. Cleartext storage of sensitive information CWE-312 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Base Score...
Out-of-bounds write vulnerability in FUJIFILM Business Innovation MFPs
Overview Multiple MFPs multifunction printers provided by FUJIFILM Business Innovation Corp. contain the following vulnerability. Out-of-bounds Write CWE-787 - CVE-2025-48499 Jia-Ju Bai, Rui-Nan Hu, Dong Zhang, and Zhen-Yu Guan of School of Cyber Science and Technology of Beihang University...
JVN#88251376: Multiple vulnerabilities in Nimesa Backup and Recovery
Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below. OS command injection CWE-78 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8 CVE-2025-48501 Server-side request...
JVN#89505333: Multiple vulnerabilities in Active! mail
Active! mail provided by QUALITIA CO., LTD. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1 CVE-2025-52462 Cross-site request...
JVN#21624250: Inefficient regular expressions in GROWI
GROWI provided by GROWI, Inc. contains the following vulnerability. Inefficient regular expression complexity CWE-1333 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 5.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score 4.3 CVE-2025-43880 Impact A logged-in user...
JVN#68079883: Improper pattern file validation in i-FILTER optional feature 'Anti-Virus & Sandbox'
The optional feature 'Anti-Virus & Sandbox' of i-FILTER provided by Digital Arts Inc. validates pattern files improperly. Improper pattern file validation CWE-348 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Path traversal CWE-22 CVE-2025-27566 This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege Cross-site scripting CWE-79...
JVN#11230428: +F FS010M vulnerable to OS command injection
+F FS010M provided by FUJI SOFT INCORPORATED contains multiple OS command injection vulnerabilities listed below. OS command injection CWE-78 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2 CVE-2025-24306 OS command injection CWE-78 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base...
JVN#08430039: "Shonen Jump+" App for Android fails to restrict custom URL schemes properly
"Shonen Jump+" App for Android provided by SHUEISHA INC. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a use...
JVN#87182660: WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability CWE-79. Impact If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are...
JVN#16114985: "Kura Sushi Official App Produced by EPARK" for Android uses a hard-coded cryptographic key
"Kura Sushi Official App Produced by EPARK" for Android provided by EPARK, Inc. uses a hard-coded cryptographic key CWE-321. Impact An attacker may obtain the login ID and password for the affected product. Solution Update the application Update the application to the latest version according to...
Trend Micro Deep Security 20 Agent for Windows vulnerable to improper access control
Overview Trend Micro Incorporated has released a security update for Deep Security 20 Agent for Windows to fix a improper access control vulnerability CVE-2024-48903. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A...
JVN#19766555: Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities listed below. SQL injection CWE-89 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8 CVE-2024-42404 Cross-site scripting CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1...
JVN#49873988: Secure Boot bypass Vulnerability in PRIMERGY
PRIMERGY is an IA server provided by Fsas Technologies Inc. PRIMERGY contains a vulnerability where Secure Boot function is bypassed. This is due to a vulnerability called "PKFail" CVE-2024-8105, which was publicly disclosed by Binarly. Impact The product's Secure Boot function may be bypassed an...
Installer of MagicConnect Client program may insecurely load Dynamic Link Libraries
Overview Installer of MagicConnect Client program provided by NTT TechnoCross Corporation contains a vulnerability which may lead to insecurely loading Dynamic Link Libraries CWE-427 when a terminal is connected remotely using Remote desktop. Yuji Tounai of Mitsui Bussan Secure Directions, Inc...
Multiple vulnerabilities in OpenBlocks IoT VX2
Overview OpenBlocks IoT VX2 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities. Masahiro Murashima and Genta Kataoka of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
WordPress plugin "Shortcodes Ultimate" vulnerable to directory traversal
Overview The WordPress plugin "Shortcodes Ultimate" contains a directory traversal vulnerability CWE-22 in the Examples page. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitrary local files o...
JVN#92395431: Java (OGNL) code execution in Apache Struts 2 when devMode is enabled
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java OGNL code may be executed in Apache Struts 2 when devMode is enabled in production environment. It is confirmed that proof-of-concept co...
Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
Overview PhishWall Client Internet Explorer Version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer Version contains an issue with the DLL search path, which may lead to insecurely loading dynamic linking...
JVN#09470233: Android stock browser vulnerable to denial-of-service (DoS)
The Android stock browser contains a denial-of-service DoS vulnerability. Impact When receiving a specially crafted packet, the Android stock browser may crash. Solution Do not use Android stock browser If using an affected version of the Android stock browser, it is recommended to use another...
JVN#06212291: Android OS Contacts app fails to restrict access permissions
The Contacts app within the Android OS receives requests for outgoing calls through Intents and calls the Dialer app. The Contacts app contains a vulnerability where it fails to restrict access permissions, since it receives and processes Intents from apps without CALLPHONE permissions. Impact Wh...
MATCHA INVOICE vulnerable to SQL injection
Overview MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains multiple SQL injection CWE-89 vulnerabilities. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
niconico App for iOS fails to verify SSL server certificates
Overview niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attack...
Opera Mini / Opera Mobile for Android vulnerable in the WebView class
Overview Opera Mini and Opera Mobile for Android contain a vulnerability in the WebView class. Opera Mini and Opera Mobile are web browsers for mobile devices. Opera Mini and Opera Mobile for Android contain a vulnerability in the WebView class. Gaku Mochizuki of Mitsui Bussan Secure Directions,...
JVN#75345069: Mac OS X OpenSSH vulnerable to denial-of-service (DoS)
The OpenSSH implementation in Mac OS X is vulnerable to denial-of-service. Impact A remote attacker may cause a denial-of-service. Solution Update the software Update to the latest version according to the information provided by the developer. According to the developer, versions Mac OS X 10.6 a...
JVN#72586781: ASP.NET vulnerable to cross-site scripting
ASP.NET contains an issue in the escape processes for string output. Web applications that use ASP.NET may contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the...
Active! mail 2003 cookie disclosure vulnerability
Overview Active! mail 2003 from TransWARE Co. contains a vulnerability in which cookies may be disclosed. Active! mail 2003 from TransWARE Co. is a web-based email software. Active! mail 2003 contains a vulnerability in which cookies may be disclosed. Kenichi Maehashi of CIS RAT at Hosei Universi...
WirelessIP5000 has multiple vulnerabilities
Overview WirelessIP5000, a wireless IP phone from Hitachi Cable, contains multiple vulnerabilities; - Illegal access using the port TCP3390 - SNMP access using an arbitrary community name - Access to the HTTP server by an unauthorized user in the factory default configuration - The HTTP server...
JVN#79114735 Google Desktop cross-site scripting vulnerability
Google Desktop, software for searching information on local computers, contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the web browser of a user who uses Google Desktop. Solution According to the vendor, this vulnerability has been fixed in Google...
JVN#13939411 Drupal cross-site scripting vulnerability
Impact An arbitrary script could be executed on the browser of the user who logged into Drupal. In addition, if session information from a cookie is leaked, a remote attacker could possibly conduct session hijacking. Solution Products Affected Drupal 4.6.10 and earlier Drupal 4.7.4 and earlier...
JVN#34830904 Shobo Shobo Nikki System (sns) cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Also, the administrator's password could be disclosed if cookie information is leaked. Solution Products Affected sns 3.11 and earlier...
JVN#47223461 tDiary cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Solution Products Affected 2.0.2 stable and earlier 2.1.4.20061115 developer version and earlier...
JVN#46244305 eyeOS cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Web pages could be spoofed as a result. Solution Products Affected eyeOS version 0.8.10 - 0.8.15...
JVN#62307185 QwikiWiki cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. User credentials could be leaked as a result. Solution Products Affected QwikiWiki version 1.5.5 and earlier...
JVN#13947696 Ruby contains a vulnerability that prevents safe level 4 from functioning as a sandbox.
Impact An attacker may be able to bypass the security model of a server application and change the status of a untained object. Solution Products Affected Ruby 1.8.4-20060516 and earlier Snapshot versions As a workaround, we recommend that users update to the latest Ruby 1.8.4 snapshot version...
JVN#73705637 ACollab SQL injection vulnerability
Impact A remote attacker could modify the database contents or steal data. An attacker could also bypass authentication and impersonate a user. Solution Products Affected ACollab 1.2 and earlier Development and maintenance of ACollab finished with version 1.2 as of July 6, 2006. However ATutor...
JVN#89344424 Multiple email clients vulnerable in handling an attachement inapropriately
Impact Actual impact could differ depending on the email clients though, email clients may crash when hadling an attached file with a particular file name. Other possible impacts could be an attached file not being saved or hanged up while in the saving process, or an error message being displaye...
JVN#18282718 Hyper Estraier directory traversal/denial of service vulnerability
Impact If a remote attacker sends a specially crafted file and a user saves it in a search target directory, the attacker could register a file not to be searched in an index when the user creats an index, or cause a denial of service. Solution Products Affected Versions earlier than Hyper Estrai...
Link following vulnerability in Canon My Image Garden for macOS and CUPS Printer Driver for macOS
Overview My Image Garden for MacOS and CUPS Printer Driver for macOS provided by Canon Inc. contain the following vulnerability. Improper link resolution before file access 'Link following' CWE-59 - CVE-2026-6891, CVE-2026-6892 Canon Inc. reported this vulnerability to JPCERT/CC to notify users o...
Android App "RoboForm Password Manager" insufficient validation of Android intents
Overview Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages e.g., login pages, but without sufficient URL validation, user confirmation nor notification. Insufficient UI Warning of Dangerous Operations CWE-357...
Multiple vulnerabilities in LogonTracer
Overview LogonTracer provided by Japan Computer Emergency Response Team Coordination Center JPCERT/CC is a tool to investigate malicious Windows logons by visualizing and analyzing Windows event logs. LogonTracer contains multiple vulnerabilities listed below. OS command injection CWE-78 -...
Installers of LiveOn Meet Client for Windows and its plugin may insecurely load Dynamic Link Libraries
Overview LiveOn Meet provided by Japan Media Systems Corporation is a web conferencing system. The installer of LiveOn Meet Client for Windows and the installer of Canon Network Camera Plugin insecurely load Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2026-32679 This...
Multiple vulnerabilities in CubeCart
Overview CubeCart provided by CubeCart Limited contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2026-21719 SQL injection CWE-89 - CVE-2026-34018 Path traversal CWE-22 - CVE-2026-35496 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities...
GROWI vulnerable to stored cross-site scripting
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2026-26291 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
EmoCheck loads Dynamic Link Libraries insecurely
Overview EmoCheck is a tool for detecting infections by "Emotet" malware, provided by Japan Computer Emergency Response Team Coordination Center JPCERT/CC. EmoCheck loads Dynamic Link Libraries insecurely. Uncontrolled search path element CWE-427 - CVE-2026-28704 ryo shimada of Powder Keg...
Multiple vulnerabilities in Movable Type
Overview The Listing Framework of Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Code injection CWE-94 - CVE-2026-25776 SQL injection CWE-89 - CVE-2026-33088 CVE-2026-25776 Sho Odagiri of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Six...
Security information for Hitachi Disk Array Systems
Overview CVE-2026-20846 | GDI+ Denial of Service Vulnerability CVE-2026-21222 | Windows Kernel Information Disclosure Vulnerability CVE-2026-21231 | Windows Kernel Elevation of Privilege Vulnerability CVE-2026-21234 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability...
django-allauth vulnerable to open redirect
Overview django-allauth is a package for implementing user authentication in Django applications. django-allauth contains the following vulnerability. Open redirect CWE-601 - CVE-2026-27982 Ayato Shitomi of Fore-Z co.ltd and Funabiki Keisuke of GMO Cybersecurity by Ierae, Inc. reported this...
Multiple Vulnerabilities in Cosminexus
Overview Cosminexus Developer's Kit for JavaTM and Hitachi Developer's Kit for Java contain the following vulnerabilities: CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945 Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to...