5625 matches found
Cybozu Garoon vulnerable to information disclosure
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains an information disclosure vulnerability in the mail function. Masato Kinugawa reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC...
a-blog cms vulnerable to session management
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a vulnerability in session management of the comment functionality. Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
WN-G300R Series vulnerable to cross-site scripting
Overview WN-G300R Series provided by I-O DATA DEVICE, INC. contains a cross-site scripting vulnerability. WN-G300R Series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R Series contains a stored cross-site scripting vulnerability CWE-79. Satoshi Ogawa of Mitsui Bussan Secure...
Multiple shiro8 Co., Ltd. freearea_ addition_plugins for EC-CUBE vulnerable to cross-site scripting
Overview EC-CUBE plugin "categoryfreearea additionplugin" and "itemdetailfreearea additionplugin" provided by shiro8 Co., Ltd. contain a cross-site scripting vulnerability CWE-79. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
baserCMS vulnerable to OS command injection
Overview baserCMS is an open-source Contents Management System CMS. baserCMS contains an OS command injection vulnerability CWE-78. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS...
H2O vulnerable to HTTP header injection
Overview H2O is an open source web server software. H2O contains an HTTP header injection vulnerability. Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership. Impact...
EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
Overview BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability CWE-89. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
yoyaku_v41 vulnerable to OS command injection
Overview yoyakuv41 provided by Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains an OS command injection vulnerability CWE-78. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
FuelPHP vulnerable to remote code execution
Overview FuelPHP is a PHP web framework for creating web applications. FuelPHP applications contain an issue in the RequestCurl class, which may result in arbitrary code execution. Masaaki Chida of GREE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Silex vulnerable to cross-site scripting
Overview Silex is a software to build websites. Silex contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be execute...
VMware ESX and ESXi may allow access to arbitrary files
Overview VMware ESX and ESXi contain a vulnerability in the handling of Virtual Machine file descriptors, which may allow access to arbitrary ESX and ESXi files. Shanon Olsson reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warni...
WEB PATIO vulnerable to cross-site scripting
Overview WEB PATIO contains a cross-site scripting vulnerability. WEB PATIO is a bulletin-board software. WEB PATIO contains a vulnerability in handling cookies, which may result in cross-site scripting. Taketo Ikeuchi of Hitachi Solutions, Ltd. reported this vulnerability to IPA. JPCERT/CC...
Drupal Form API fails to validate the redirect URL
Overview Drupal's Form API fails to validate the redirect URL, which may lead to unintended information disclosure. Drupal is a content management system CMS. Drupal's Form API fails to validate the redirect URL, which may lead to unintended information disclosure. Katsuhiko Nakanishi from NEC...
TOSHIBA TEC e-Studio series vulnerable to authentication bypass
Overview Multiple e-Studio series products provided by TOSHIBA TEC CORPORATION contain an authentication bypass vulnerability. e-Studio is a multi-function peripheral MFP. Multiple e-Studio series products contain a vulnerability in web-based management utility, which may result in an...
ALFTP may insecurely load executable files
Overview ALFTP may use unsafe methods for determining how to load executables. ALFTP provided by ESTsoft Corp. is a FTP client software with the built in FTP server. ALFTP contains an issue when loading files. For example, if an user tries to open README a file without extention which exists in t...
Wibu-Systems CodeMeter Runtime vulnerable to denial-of-service
Overview CodeMeter Runtime provided by Wibu-Systems AG contains a denial-of-service vulnerability. CodeMeter Runtime provided by Wibu-Systems AG contains an issue when processing TCP packets, which may lead to a denial-of-service DoS. Kuang-Chun Hung of Security Research and Service Institute -...
A-Form vulnerable in restricting access
Overview A-Form contains a vulnerability in restricting access permissions. A-Form is a plug-in for Movable Type that adds mail forms and survey forms. A-Form contains a vulnerability in restricting access permissions. Impact Information managed by A-Form may be altered by a user who does not hav...
BaserCMS vulnerable to cross-site scripting
Overview BaserCMS contains a cross-site scripting vulnerability. BaserCMS is an open-source Contents Management System CMS. BaserCMS contains a cross-site scripting vulnerability. Masako Ohno reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Multiple Yamaha routers vulnerable to denial-of-service (DoS)
Overview Multiple routers provided by Yamaha contain a denial-of-service vulnerability. Multiple routers provided by Yamaha contain a denial-of-service DoS vulnerability due to an issue in processing IP packets. Yuji Ukai of Fourteenforty Research Institute, Inc. reported this vulnerability to IP...
Multiple Things CGI products vulnerable to cross-site scripting
Overview Multiple CGI products provided by Things contain a cross-site scripting vulnerability. BBS and BBS Thread provided by Things are bulletin board software. BBS and BBS Thread contain a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC...
JP1/NETM/Remote Control Agent Authentication Bypass Vulnerability
Overview A vulnerability in the file transfer feature in the JP1/NETM/Remote Control Agent may allow authentication bypass. Impact A remote attacker could manipulate arbitrary files on the system installed with the Remote Control Agent. Solution ease refer to the 'Vendor Information' section for...
Multiple Vulnerabilities Concerning Hitachi Web Server
Overview Hitachi Web Server has vulnerabilities listed below: 1. A vulnerability that allows to roll back the Open SSL version when using the SSL. 2. Cross-site scripting vulnerability in contents created automatically by the Hitachi Web Server. 3. Cross-site scripting vulnerability due to...
Multiple Panasonic Communications Co., Ltd. network cameras vulnerable to cross-site scripting
Overview Multiple Panasonic Communications Co., Ltd. network cameras contain a cross-site scripting vulnerability. Panasonic Communications Co., Ltd. network camera BL-C111/131 and BB-HCM511/531/580/581/527/515 error pages contain a cross-site scripting vulnerability. NetAgent Co., Ltd. reported...
IP Messenger for Win Filename Buffer Overflow Vulnerability
Overview IP Messenger for Win suffers buffer overflow when the user saves an attached file with a long name sent with the message. Impact An attacker could execute arbitrary code with the privileges of the user running IP Messenger. Solution Please refer to the 'Vendor Information' section for...
DeleGate Multiple Buffer Overflow Vulnerabilities
Overview DeleGate suffers buffer overflow when scanf, strncpy and other string handling process are set to fail with a long string sent by proxy. Impact An attacker could execute arbitrary code with the privileges of the user running DeleGate. Solution Please refer to the 'Vendor Information'...
Hiki cross-site scripting vulnerability
Overview Hiki, a Wiki clone from the Hiki development team, contains a cross-site scripting vulnerability. Impact A remote attacker could create a content containing attacking code and take over a session by stealing the session ID of the user who logged into the system. If the user logged into t...
Fujitsu Java Runtime Environment reflection API vulnerability
Overview A vulnerability exists in the reflection API in the Java Runtime Environment that may allow a Java applet to elevate its privileges bypassing its security restrictions. This problem was reported by Sun Microsystems as a vulnerability in Java Runtime Environment. Fujitsu's product is...
Reflected cross-site scripting vulnerability in multiple laser printers and MFPs which implement Ricoh Web Image Monitor
Overview Web Image Monitor provided by Ricoh Company, Ltd. is a web server that is included in and runs on laser printers and MFPs multifunction printers. Web Image Monitor contains the vulnerability listed below. Reflected cross-site scripting CWE-79 - CVE-2026-56809 Tomasz Holeksa of Pentest...
DGM3103SCT vulnerable to OS command injection
Overview DGM3103SCT provided by AVTECH Security Corporation contains the following vulnerability. OS command injection CWE-78 - CVE-2026-56808 Tomoya KITAGAWA, Satoki TSUJI, Seiya NAKATA, and Yudai FUJIWARA of Ricerca Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
ExpressUpdate Agent for Windows improper access restriction on its named pipe
Overview ExpressUpdate Agent for Windows provided by NEC Corporation is the software module for NEC server products, to support remote management of installed software. ExpressUpdate Agent for Windows configures its named pipe with an improper access restriction. Exposed IOCTL with Insufficient...
Stack-based buffer overflow vulnerability in Dynabook Bluetooth ACPI Drivers
Overview Bluetooth ACPI Drivers provided by Dynabook Inc. contain the following vulnerability. Stack-based buffer overflow CWE-121 - CVE-2026-35553 Andrea Monzani, Antonio Parata, and Davide Netti of University of Milan reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the...
Multiple vulnerabilities in the installer of RATOC RAID Monitoring Manager for Windows
Overview The installer of RATOC RAID Monitoring Manager for Windows provided by RATOC Systems, Inc. contains multiple vulnerabilities listed below. Uncontrolled search path element CWE-427 - CVE-2026-28760 Incorrect default permissions CWE-276 - CVE-2026-32680 Kazuma Matsumoto of GMO Cybersecurit...
Installer of OM Workspace (Windows Edition) may insecurely load Dynamic Link Libraries
Overview OM Workspace provided by OM Digital Solutions Corporation is image editing software. Installer of OM Workspace Windows Edition contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element...
Vulnerability in Hitachi Command Suite
Overview VulnerabilityCVE-2025-48976 has been found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Installer for IBM Trusteer Rapport may insecurely load Dynamic Link Libraries
Overview The installer for IBM Trusteer Rapport provided by IBM contains the following vulnerability. Uncontrolled search path element CWE-427 - CVE-2026-2713 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Missing authorization in the OpenAI thread/message API endpoints of GROWI
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Missing authorization in the OpenAI thread/message API endpoints CWE-862 - CVE-2026-25083 This can be exploited only when an attacker knows a shared AI assistant's identifier Sho Odagiri of GMO Cybersecurity by Ierae, In...
Multiple vulnerabilities in Dell UPS Multi-UPS Management Console (MUMC)
Overview UPS Multi-UPS Management Console MUMC provided by Dell Inc. contains multiple vulnerabilities listed below. Unquoted search path or element CWE-428 - CVE-2026-26033 Incorrect default permissions CWE-276 - CVE-2026-26034 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported these...
IM-LogicDesigner module of intra-mart Accel Platform vulnerable to untrusted data deserialization
Overview IM-LogicDesigner module of intra-mart Accel Platform provided by NTT DATA INTRAMART Corporation contains the following vulnerability. Untrusted data deserialization CWE-502 - CVE-2026-27776 This can be exploited only when IM-LogicDesigner is deployed Masataka Sagami reported this...
Improper file access permission settings in the installers for multiple Soliton Systems products
Overview The installers for multiple products provided by Soliton Systems K.K. contain the following vulnerability. Incorrect default permissions CWE-276 - CVE-2026-27653 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
WordPress Plugin "Survey Maker" vulnerable to cross-site scripting
Overview WordPress Plugin "Survey Maker" provided by Ays Pro contains the following vulnerability. Cross-site scripting CWE-79 - CVE-2026-26370 Shogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Installer for Job log aggregation/analysis software RICOH Job Log Aggregation Tool may insecurely load Dynamic Link Libraries
Overview The installer for Job log aggregation/analysis software RICOH Job Log Aggregation Tool contains the following vulnerability related to the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2026-26050 Kazuma...
Multiple Vulnerabilities in Hitachi Command Suite products
Overview Multiple vulnerabilities have been found in Hitachi Command Suite products. CVE-2024-38477, CVE-2024-2511 Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and...
Vulnerability in Cosminexus HTTP Server
Overview Vulnerability has been found in Cosminexus HTTP Server. CVE-2025-23048 This vulnerability does not apply if SSL is disabled. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
Installer of M-Audio M-Track Duo HD may insecurely load Dynamic Link Libraries
Overview The installer of M-Track Duo HD provided by M-Audio contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2026-25676 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc...
Oki Electric Industry products and OEM products register Windows services with unquoted file paths
Overview Configuration Tool provided by Oki Electric Industry Co., Ltd., Ricoh Co., Ltd., and Murata Machinery, Ltd. contain the following vulnerability. Unquoted search path or element CWE-428 - CVE-2026-24466 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IP...
web2py vulnerable to open redirect
Overview web2py contains the following vulnerability. Open redirect CWE-601 - CVE-2026-25198 Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a speciall...
Multiple vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in Edit Comment CWE-79 - CVE-2026-21393 Stored cross-site scripting vulnerability in Export Sites CWE-79 - CVE-2026-22875 Unrestricted upload of file with...
Undocumented "TelnetEnable" functionality of End of Service NETGEAR products
Overview Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. Inclusion of Undocumented Features or Chicken Bits CWE-1242 - CVE-2026-24714 Misato Ito, Daichi Uezono, Ryu Kuki, Iwaki Miyamoto, Takayuki Sasaki,...
Ruijie Networks AP180 series vulnerable to OS command injection
Overview AP180 series provided by Ruijie Networks Co., Ltd. contains the following vulnerability. OS command injection CWE-78 - CVE-2026-23699 Thanh Do of BabyPhD reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
RICOH Streamline NX vulnerable to improper authorization
Overview RICOH Streamline NX provided by Ricoh Company, Ltd. contains the following vulnerability. Improper authorization CWE-639 - CVE-2026-21409 Ricoh Company, Ltd. reported this vulnerability to IPA to notify the users of its solution through JVN. JPCERT/CC and Ricoh Company, Ltd. coordinated...