5625 matches found
Multiple Microsoft Office products vulnerable to untrusted search path
Overview Multiple Microsoft Office products contain the following vulnerability. Untrusted search path CWE-426, - CVE-2026-20943 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...
Multiple Brother software installers may insecurely load Dynamic Link Libraries
Overview Multiple software installers provided by Brother Industries, Ltd. may insecurely load some dynamic link libraries. Uncontrolled search path element CWE-427 - CVE-2016-2542, CVE-2021-41526 Kazuma Matsumoto of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Brother...
Installer of INZONE Hub may insecurely load Dynamic Link Libraries
Overview The installer of INZONE Hub provided by Sony Corporation contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-64772 Kazuma Matsumoto of GMO Cybersecurity by IERAE,...
SwitchBot Smart Video Doorbell vulnerable to active debug code
Overview Smart Video Doorbell provided by SwitchBot contains the following vulnerability. Active debug code CWE-489 - CVE-2025-64983 Researcher reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker on ...
Installer of RakurakuMusen Start EX for Windows may insecurely load Dynamic Link Libraries
Overview Installer of RakurakuMusen Start EX for Windows provided by NEC Corporation uses an inappropriate DLL search path list, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-12852 Impact Arbitrary code may be executed with the...
NCP-HG100 vulnerable to OS command injection
Overview NCP-HG100 provided by Sony Network Communications Inc. and used in MANOMA service contains the following vulnerability. OS command injection CWE-78 - CVE-2025-64444 HIROKI IMAI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to OS command injection
Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain the following vulnerability. OS command injection CWE-78 - CVE-2025-11546 NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under...
GROWI vulnerable to stored cross-site scripting
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2025-61994 Keitaro Yamazaki of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...
Multiple Roboticsware products register Windows services with unquoted file paths
Overview Multiple Roboticsware products provided by Roboticsware PTE. LTD. contain the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-64151 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the develope...
ETERNUS SF vulnerable to incorrect default permissions
Overview ETERNUS SF provided by Fsas Technologies Inc. contains the following vulnerability. Incorrect default permissions CWE-276 - CVE-2025-62577 Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc...
The installers of DENSO TEN drive recorder viewer may insecurely load Dynamic Link Libraries
Overview The installers of DENSO TEN drive recorder viewer may insecurely load Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-57781 This vulnerability is exploited by directing a user to download and place a crafted DLL file with the affected installer, and to execute...
Multiple vulnerabilities in Canon Printer Drivers for Production Printers, Office/Small Office Multifunction Printers and Laser Printers
Overview Canon printer drivers for Production Printers, Office/Small Office Multifunction Printers and Laser Printers contain multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2025-7698 Out-of-bounds write CWE-787 - CVE-2025-9903 Reference to unallocated memory CWE-696 -...
Multiple vulnerabilities in I-O DATA wireless LAN routers
Overview Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below. Hidden functionality CWE-912 - CVE-2025-55075 OS command injection CWE-78 - CVE-2025-58116 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinat...
Multiple Brother and its OEM products with weak initial administrator passwords
Overview Multiple products provided by BROTHER INDUSTRIES, LTD and other OEM vendors are setup with weak initial administrator passwords, which can be derived from their serial numbers. This is reported by Rapid7, and treated on JVNVU90043828, CVE-2024-51978. Brother states that 1 serial numbers...
Century HW RAID Manager registers a Windows service with an unquoted file path
Overview RAID Manager provided by Century Corporation contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-59307 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
RICOH Streamline NX vulnerable to tampering with operation history
Overview RICOH Streamline NX provided by Ricoh Company, Ltd. contains the following vulnerability. Use of Less Trusted Source CWE-348 - CVE-2025-58422 Ricoh Company, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Ricoh Company, Ltd. coordinated...
Multiple vulnerabilities in TkEasyGUI
Overview TkEasyGUI provided by kujirahand contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-55037 Uncontrolled search path element CWE-427 - CVE-2025-55671 Satoki Tsuji of Ikotas Labs, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the...
Web Caster V130 vulnerable to cross-site request forgery
Overview Web Caster V130 provided by NTT EAST, Inc. and NTT WEST, Inc. is a 050IP telephony-enabled broadband router. Web Caster V130 contains the following vulnerability. Cross-site request forgery CWE-352 - CVE-2025-58272 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this...
Multiple vulnerabilities in multiple iND products
Overview Multiple products provided by iND Co.,Ltd contain multiple vulnerabilities listed below. Insecure storage of sensitive information CWE-922 - CVE-2025-53507 OS command injection CWE-78 - CVE-2025-53508 HL330-DLS, HL320-DLS Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported...
Trend Micro Endpoint security products for enterprises vulnerable to multiple OS command injection
Overview Trend Micro Endpoint security products for enterprises contain the following vulnerabilities. OS command injection vulnerability in the management console CWE-78 - CVE-2025-54948, CVE-2025-54987 Trend Micro Incorporated has reported that attacks exploiting CVE-2025-54948 have been observ...
ZXHN-F660T and ZXHN-F660A use a common credential for all installations
Overview ZXHN-F660T and ZXHN-F660A provided by ZTE Japan. K.K. are ONU Optical Network Unit. ZXHN-F660T and ZXHN-F660A contain the following vulnerability. Use a common credential for all installations CWE-1391 - CVE-2025-53558 Yuuki Miyata of YuukiJapanTech reported this vulnerability to IPA...
TP-Link VIGI NVR1104H-4P and VIGI NVR2016H-16MP vulnerable to OS command injection
Overview VIGI NVR1104H-4P and VIGI NVR2016H-16MP provided by TP-Link Systems Inc. contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-7723, CVE-2025-7724 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the...
Real-time Bus Tracking System vulnerable to improper validation of specified quantity in input
Overview Real-time Bus Tracking System provided by SYNCK GRAPHICA contains the following vulnerability. Improper validation of specified quantity in input CWE-1284 - CVE-2025-43881 n3ddih reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
"region PAY" App for Android vulnerable to insertion of sensitive information into log file
Overview "region PAY" App for Android provided by Gift Pad Co.,Ltd. contains the following vulnerability. Insertion of sensitive information into log file CWE-532 - CVE-2025-52580 Kubo Naoki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers
Overview Least privilege violation vulnerability CWE-272 exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation. - CVE-2025-1384 OMRON Corporation reported this vulnerability to JPCERT/CC to notify...
Multiple vulnerabilities in Trend Micro Password Manager for Windows (CVE-2025-48443, CVE-2025-52837)
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager for Windows. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Arbitrary files may be deleted during the product installation d...
Multiple vulnerabilities in TB-eye network recorders and AHD recorders
Overview Network recorders and AHD recorders provided by TB-eye Ltd. contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-36529 Classic buffer overflow CWE-120 - CVE-2025-41418 Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/C...
UpdateNavi vulnerable to improper restriction of communication channel to intended endpoints
Overview UpdateNavi provided by Fujitsu Client Computing Limited contains the following vulnerability. Improper restriction of communication channel to intended endpoints CWE-923 Shu Yoshikoshi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Improper file access permission settings in PC Time Tracer
Overview PC Time Tracer provided by Keiyo System Co., LTD contains a vulnerability listed below. Incorrect default permissions CWE-276 - CVE-2025-46355 Ruslan Sayfiev and Masahiro Kawada of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...
Improper pattern file validation in i-FILTER optional feature 'Anti-Virus & Sandbox'
Overview The optional feature 'Anti-Virus & Sandbox' of i-FILTER provided by Digital Arts Inc. validates pattern files improperly. Improper pattern file validation CWE-348 - CVE-2025-47149 Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC...
Passback vulnerabilities in Canon Production Printers, Office/Small Office Multifunction Printers, and Laser Printers
Overview Production Printers, Office/Small Office Multifunction Printers, and Laser Printers provided by Canon Inc. do not implement sufficient protection on credential information CWE-522. CVE-2025-3078, CVE-2025-3079 Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Path traversal CWE-22 CVE-2025-27566 This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege Cross-site scripting CWE-79...
Reflected cross-site scripting vulnerability in multiple laser printers and MFPs which implement Ricoh Web Image Monitor
Overview Web Image Monitor provided by Ricoh Company, Ltd. is an web server included and runs in laser printers and MFPs multifunction printers. Web Image Monitor contains the vulnerability listed below. Reflected cross-site scripting CWE-79 - CVE-2025-41393 Juan Pablo Gomez Postigo of Sprocket...
TP-Link Deco BE65 Pro vulnerable to OS command injection
Overview Deco BE65 Pro provided by TP-LINK contains an OS command injection vulnerability CWE-78. Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An arbitrary OS command may be executed by the user who can log...
Multiple vulnerabilities in Inaba Denki Sangyo Wi-Fi AP UNIT 'AC-WPS-11ac series'
Overview Wi-Fi AP UNIT 'AC-WPS-11ac series' provided by Inaba Denki Sangyo Co., Ltd. contain multiple vulnerabilities listed below. Incorrect privilege assignment in the WEB UI the setting page CWE-266 - CVE-2025-23407 OS command injection in the WEB UI the setting page CWE-78 - CVE-2025-25053...
WinRAR vulnerable to the symbolic link based "Mark of the Web" check bypass
Overview WinRAR provided by RARLAB contains a vulnerability that bypasses the "Mark of the Web" CWE-356 security warning function for files when opening a symbolic link that points to an executable file. In the initial Windows configuration, only administrators have the privilege to create symbol...
a-blog cms vulnerable to untrusted data deserialization
Overview a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability CWE-502. The developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later. appleple inc. reported this vulnerability to JPCERT/CC to notify...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Injection CWE-74 - CVE-2025-29993 Dependency on vulnerable third-party component CWE-1395 - CVE-2021-21252 Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN...
hostapd vulnerable to improper processing of RADIUS packets
Overview hostapd provided by Jouni Malinen fails to process crafted RADIUS packets properly CWE-826. KUSABA Takeshi of Internet Initiative Japan Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When...
Multiple vulnerabilities in RemoteView Agent (for Windows)
Overview RemoteView allows a local PC to connect and control remote PCs through the cloud service provided by RSUPPORT Co.,Ltd. On the remote PCs should be installed RemoteView Agent. The following vulnerabilities are reported on RemoteView Agent installation. Incorrect access permission of a...
Out-of-bounds write vulnerability in FUJIFILM Business Innovation Corp. MFPs
Overview Multiple MFPs multifunction printers provided by FUJIFILM Business Innovation Corp. contain an out-of-bounds vulnerability CWE-787, CVE-2024-45320 due to a flaw in verifying the length of data. Jia-Ju Bai, Rui-Nan Hu, Cheng Li, Dong Zhang, Yu-Chen Sun, Wen-Han Xu, Zhen-Yu Guan, and...
Clickjacking Vulnerability in JP1/ServerConductor/Deployment Manager
Overview A Clickjacking Vulnerability was found in JP1/ServerConductor/Deployment Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers
Overview Office/Small Office Multifunction Printers and Laser Printers provided by Canon Inc. contain multiple out-of-bounds write vulnerabilities CWE-787, CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, CVE-2025-2146. Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the...
Linux Ratfor vulnerable to stack-based buffer overflow
Overview Linux Ratfor provided by the Dimensional Gate contains a stack-based buffer overflow vulnerability CWE-121. Yuhei Kawakoya of NTT Social Informatics Laboratories / NTT Security Holdings Corporation reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact...
Multiple vulnerabilities in SHARP routers
Overview SHARP routers contain multiple vulnerabilities listed below. OS command injection vulnerability in the HOST name configuration screen CWE-78 - CVE-2024-45721 The hidden debug function is enabled CWE-489 - CVE-2024-46873 Buffer overflow vulnerability in the hidden debug function CWE-120 -...
Multiple vulnerabilities in Rakuten Turbo 5G
Overview Rakuten Turbo 5G provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below. Missing authentication for critical function CWE-306 - CVE-2024-47865 OS command injection CWE-78 - CVE-2024-48895 Exposure of sensitive system information to an unauthorized control sphere...
REST-APIs unintentionally enabled in Century Systems FutureNet NXR series routers
Overview FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial factory default configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server GUI or Web...
Multiple vulnerabilities in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software
Overview AIPHONE IX SYSTEM is an IP Network Audio-Video Intercom and IXG SYSTEM is an IP-based Residential System. IX SYSTEM, IXG SYSTEM, and System Support Software contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2024-31408 Insufficiently protected credentials...
MUSASI version 3 performing authentication on client-side
Overview MUSASI provided by NEUMANN CO.LTD. is an e-learning system for driving schools. MUSASI version 3 performs authentication within the client-side code CWE-603, and the client in pre-authentication state retrieves the credential information from the server just when a user ID is input. This...
SNMP service is enabled by default in Sharp NEC Display Solutions projectors
Overview Multiple projectors provided by Sharp NEC Display Solutions, Ltd. are configured with SNMP service enabled by default, therefore can be accessed by specifying SNMP community name "public" CWE-1242 ,CVE-2024-7011. SNMP service configuration enable/disable cannot be changed on the manageme...