Multiple vulnerabilities in GroupSession

Overview GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Stored cross-site scripting CWE-79 - CVE-2025-53523 Stored cross-site scripting CWE-79 - CVE-2025-54407 Reflected cross-site scripting CWE-79 - CVE-2025-57883 Cross-site request forgery...

GS Yuasa FULLBACK Manager Pro registers Windows services with unquoted file paths

Overview FULLBACK Manager Pro provided by GS Yuasa International Ltd. contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-66461 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...

Multiple vulnerabilities in ABB Terra AC Wallbox

Overview Terra AC Wallbox provided by ABB contains the following vulnerability. Heap-based buffer overflow CWE-122 - CVE-2025-10504 Classic buffer overflow CWE-120 - CVE-2025-12142 Stack-based buffer overflow CWE-121 - CVE-2025-12143 Ryo Kato of Panasonic reported this vulnerability to IPA...

Installer of INZONE Hub may insecurely load Dynamic Link Libraries

Overview The installer of INZONE Hub provided by Sony Corporation contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-64772 Kazuma Matsumoto of GMO Cybersecurity by IERAE,...

SwitchBot Smart Video Doorbell vulnerable to active debug code

Overview Smart Video Doorbell provided by SwitchBot contains the following vulnerability. Active debug code CWE-489 - CVE-2025-64983 Researcher reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker on ...

Multiple vulnerabilities in Security Point (Windows) of MaLion

Overview Security Point Windows of MaLion provided by Intercom, Inc. contains multiple vulnerabilities listed below. Incorrect default permissions CWE-276 - CVE-2025-59485 Stack-based buffer overflow in processing HTTP headers CWE-121 - CVE-2025-62691 Heap-based buffer overflow in processing...

Multiple vulnerabilities in SNC-CX600W

Overview SNC-CX600W provided by Sony Corporation contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2025-62497 Cross-site scripting CWE-79 - CVE-2025-64730 The following people reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer...

"FOD" App uses hard-coded cryptographic keys

Overview "FOD" App provided by Fuji Television Network, Inc. uses hard-coded cryptographic keys Use of hard-coded cryptographic key CWE-321 - CVE-2025-64304 The keys are used in the processing of JWT data. Impact The cryptographic keys may be retrieved. The developer considers that the impact is...

Multiple vulnerabilities in LogStare Collector

Overview LogStare Collector provided by LogStare Inc. contains multiple vulnerabilities listed below. Incorrect default permissions for the installation directory CWE-276 - CVE-2025-58097 Stored cross-site scripting vulnerability in UserManagement CWE-79 - CVE-2025-61949 Incorrect authorization i...

EPSON WebConfig / Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts

Overview EPSON WebConfig / Epson Web Control for SEIKO EPSON Projector Products provided by SEIKO EPSON CORPORATION contain the following vulnerability. Improper restriction of excessive authentication attempts CWE-307 - CVE-2025-64310 Vladislav Khegay and Aigerim Alibek of Astana IT University...

Installer of RakurakuMusen Start EX for Windows may insecurely load Dynamic Link Libraries

Overview Installer of RakurakuMusen Start EX for Windows provided by NEC Corporation uses an inappropriate DLL search path list, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-12852 Impact Arbitrary code may be executed with the...

"Dejira" App for iOS vulnerable to improper server certificate verification

Overview "Dejira" App for iOS provided by KDDI CORPORATION contains the following vulnerability. Improper server certificate verification CWE-295 Tsuyoshi Ogawa of SIE Co.,Ltd reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

NCP-HG100 vulnerable to OS command injection

Overview NCP-HG100 provided by Sony Network Communications Inc. and used in MANOMA service contains the following vulnerability. OS command injection CWE-78 - CVE-2025-64444 HIROKI IMAI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...

Multiple vulnerabilities in GNU Libmicrohttpd

Overview GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities listed below. NULL pointer dereference CWE-476 - CVE-2025-59777 Heap-based buffer overflow CWE-122 - CVE-2025-62689 Tatsuhiko Yasumatsu of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to...

Use of password hash with insufficient computational effort vulnerability in BUFFALO Wi-Fi router "WSR-1800AX4 series"

Overview Wi-Fi router "WSR-1800AX4 series" provided by BUFFALO INC. contains the following vulnerability. Use of password hash with insufficient computational effort CWE-916 - CVE-2025-46413 Kazuaki Chikamori and Takayuki Tatekawa of National Institute of Technology, Kochi College reported this...

CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to OS command injection

Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain the following vulnerability. OS command injection CWE-78 - CVE-2025-11546 NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under...

GROWI vulnerable to stored cross-site scripting

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2025-61994 Keitaro Yamazaki of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...

Multiple vulnerabilities in Century Systems FutureNet MA and IP-K series

Overview FutureNet MA and IP-K series provided by Century Systems Co., Ltd. contain multiple vulnerabilities listed below. OS command Injection CWE-78 - CVE-2025-54763 Files or directories acessible to external parties CWE-552 - CVE-2025-58152 Chuya Hayakawa of 00One, Inc. reported these...

Multiple Roboticsware products register Windows services with unquoted file paths

Overview Multiple Roboticsware products provided by Roboticsware PTE. LTD. contain the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-64151 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the develope...

Optical Disc Archive Software (for Windows) registers a Windows service with an unquoted file path

Overview Optical Disc Archive Software for Windows provided by Sony Corporation contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-62225 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...

Progress Flowmon vulnerable to authenticated OS command injection

Overview Progress Flowmon provided by Progress Software Corporation contains the following vulnerability. Authenticated OS command injection CWE-78 - CVE-2025-10239 Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

Installer of WTW EAGLE (for Windows) may insecurely load Dynamic Link Libraries

Overview The installer of WTW EAGLE for Windows provided by Wireless Tsukamoto Co., Ltd. contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-62776 Kazuma Matsumoto of GMO...

MZK-DP300N uses hard-coded credentials

Overview MZK-DP300N provided by PLANEX COMMUNICATIONS INC. contains the following vulnerability. Use of hard-coded credentials CWE-798 - CVE-2025-62777 Toshiki Iwasaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

Multiple stored cross-site scripting vulnerabilities in Pleasanter

Overview Pleasanter provided by Implem Inc. contains multiple stored cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in Preview for Attachments CWE-79 - CVE-2025-58070 Stored cross-site scripting vulnerability in Body, Description and Comments CWE-79 -...

GROWI vulnerable to cross-site scripting

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Cross-site scripting in the page alert function CWE-79 - CVE-2025-54806 GROWI, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and GROWI, Inc. coordinated under the...

Multiple I-O DATA NAS management applications register Windows services with unquoted file paths

Overview Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. Multiple NAS management applications provided by I-O DATA DEVICE, INC. contain the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-61865...

Multiple stored cross-site scripting vulnerabilities in Movable Type

Overview Movable Type provided by Six Apart Ltd. contains multiple stored cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in Edit ContentData page CWE-79 - CVE-2025-54856 Stored cross-site scripting vulnerability in Edit CategorySet of ContentType page...

Lanscope Endpoint Manager (On-Premises) vulnerable to improper verification of source of a communication channel

Overview Lanscope Endpoint Manager On-Premises provided by MOTEX Inc. contains the following vulnerability. Improper verification of source of a communication channel CWE-940 - CVE-2025-61932 MOTEX Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and...

ETERNUS SF vulnerable to incorrect default permissions

Overview ETERNUS SF provided by Fsas Technologies Inc. contains the following vulnerability. Incorrect default permissions CWE-276 - CVE-2025-62577 Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc...

Installer of AutoDownloader may insecurely load Dynamic Link Libraries

Overview Installer of AutoDownloader provided by Panasonic Connect Co., Ltd. contains the following vulnerability with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-11223 Kazuma Matsumoto of GMO Cybersecurity ...

Multiple vulnerabilities in desknet's NEO

Overview desknets NEO provided by NEOJAPAN Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting CWE-79 - CVE-2025-24833, CVE-2025-54760, CVE-2025-55072 Reflected cross-site scripting CWE-79 - CVE-2025-52583 Stored cross-site scripting CWE-79 - CVE-2025-54859 Improper...

Multiple vulnerabilities in ChatLuck

Overview ChatLuck provided by NEOJAPAN Inc. contains multiple vulnerabilities listed below. Cross-site scripting vulnerability in Chat Rooms CWE-79 - CVE-2025-53858 Insufficient granularity of access control vulnerability in Invitation of Guest Users CWE-1220 - CVE-2025-54461 Cross-site scripting...

Ruijie Networks RG-EST300 undocumented SSH functionality

Overview RG-EST300 provided by Ruijie Networks provides SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Hidden functionality CWE-912 - CVE-2025-58778 Ryu Kuki, Iwaki Miyamoto, Takayuki Sasaki, Katsunari Yoshioka of Yokohama National Universi...

Buffalo Wi-Fi router WXR9300BE6P series vulnerable to path traversal

Overview Wi-Fi router WXR9300BE6P series provided by BUFFALO INC. contains the following vulnerability. Path traversal CWE-22 - CVE-2025-61941 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact Arbitrary file may be altered by ...

Multiple RSUPPORT products may insecurely load Dynamic Link Libraries

Overview Multiple RSUPPORT products contain multiple vulnerabilities listed below. RemoteView PC Application Console vulnerable to uncontrolled search path element CWE-427 - CVE-2025-26859 RemoteCall Remote Support Program for Operator vulnerable to uncontrolled search path element CWE-427 -...

Phoenix Contact CHARX SEC-3xxx vulnerable to code injection

Overview CHARX SEC-3xxx provided by Phoenix Contact contains the following vulnerability. Code injection CWE-94 - CVE-2025-41699 Ryo Kato of Panasonic Holdings Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

BUFFALO NAS Navigator2 registers a Windows service with an unquoted file path

Overview NAS Navigator2 provided by BUFFALO INC. contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-61871 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...

Multiple vulnerabilities in FUJI Electric V-SFT

Overview V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom CWE-121 - CVE-2025-61856 Out-of-bounds write in VS6ComFile!CItemExChange::WinFontDynStrCheck CWE-787 - CVE-2025-61857...

The installers of DENSO TEN drive recorder viewer may insecurely load Dynamic Link Libraries

Overview The installers of DENSO TEN drive recorder viewer may insecurely load Dynamic Link Libraries. Uncontrolled search path element CWE-427 - CVE-2025-57781 This vulnerability is exploited by directing a user to download and place a crafted DLL file with the affected installer, and to execute...

Trend Micro Antivirus for Mac vulnerable to Local Privilege Escalation

Overview Trend Micro Incorporated has released a security update for Trend Micro Antivirus for Mac. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact An unprivileged user may gain root access by exploiting a leftover file after...

Multiple vulnerabilities in multiple Keyence products

Overview Multiple products provided by KEYENCE CORPORATION contain multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2025-58775, CVE-2025-58776 Access of uninitialized pointer CWE-824 - CVE-2025-58777 Buffer underflow CWE-124 - CVE-2025-61690 Out-of-bounds read...

NIHON KOHDEN Central Monitor CNS-6201 vulnerable to NULL pointer dereference

Overview Central Monitor CNS-6201 provided by NIHON KOHDEN CORPORATION contains the following vulnerability. NULL pointer dereference CWE-476 - CVE-2025-59668 Jared P. Quinn of QuinnTech.ai discovered and reported the vulnerability to the developer and CISA. Cooperating with CISA, JPCERT/CC...

Multiple vulnerabilities in Canon Printer Drivers for Production Printers, Office/Small Office Multifunction Printers and Laser Printers

Overview Canon printer drivers for Production Printers, Office/Small Office Multifunction Printers and Laser Printers contain multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2025-7698 Out-of-bounds write CWE-787 - CVE-2025-9903 Reference to unallocated memory CWE-696 -...

DataSpider Servista improper restriction of XML external entity references

Overview DataSpider Servista provided by Saison Technology Co.,Ltd. is a data integration software. DataSpider Servista contains the following vulnerability. Improper restriction of XML external entity reference CWE-611 - CVE-2025-48006 Shigeaki Tsunoda of Cyber Defense Institute, Inc. reported...

OMRON SOCIAL SOLUTIONS Uninterruptible Power Supply (UPS) management application registers a Windows service with an unquoted file path

Overview Uninterruptible Power Supply UPS management application provided by OMRON SOCIAL SOLUTIONS Co., Ltd. registers a Windows service with an unquoted file path CWE-428, CVE-2025-9818. OMRON SOCIAL SOLUTIONS Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution...

Multiple vulnerabilities in I-O DATA wireless LAN routers

Overview Wireless LAN routers provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below. Hidden functionality CWE-912 - CVE-2025-55075 OS command injection CWE-78 - CVE-2025-58116 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinat...

Multiple Brother and its OEM products with weak initial administrator passwords

Overview Multiple products provided by BROTHER INDUSTRIES, LTD and other OEM vendors are setup with weak initial administrator passwords, which can be derived from their serial numbers. This is reported by Rapid7, and treated on JVNVU90043828, CVE-2024-51978. Brother states that 1 serial numbers...

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting

Overview UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability. Cross-site scripting CWE-79 - CVE-2025-8153 RyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated. After the coordination was completed, NEC...

JVN#95938761: UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability. Cross-site scripting CWE-79 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1 CVE-2025-8153 Impact If a...

Century HW RAID Manager registers a Windows service with an unquoted file path

Overview RAID Manager provided by Century Corporation contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-59307 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...