|
CVE-2026-46392
|
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filen...
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML...
|
High
|
PHP
JavaScript
Cwe 178
Cwe 434
+1
|
1ヶ月前
|
|
CVE-2026-10777
|
|
A vulnerability was identified in ealpha072 Student-Management-System up to...
A vulnerability was identified in ealpha072 Student-Management-System up to...
|
High
|
PHP
Cwe 287
リモートコード実行 (RCE)
|
1ヶ月前
|
|
CVE-2026-10771
|
|
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate...
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate...
|
High
|
Java
Cwe 918
SSRF (サーバーサイドリクエストフォージェリ)
|
1ヶ月前
|
|
CVE-2026-49120
|
|
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription...
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription...
|
High
|
Cwe 918
SSRF (サーバーサイドリクエストフォージェリ)
Web Application
Fhir
|
1ヶ月前
|
|
CVE-2026-42211
|
|
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
|
High
|
React
リモートコード実行 (RCE)
CWE-502: 安全でないデシリアライゼーション
Remote Code Execution
+3
|
1ヶ月前
|
|
CVE-2026-33245
|
|
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
|
High
|
React
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
Shopify
+1
|
1ヶ月前
|
|
CVE-2026-1829
|
|
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
|
High
|
WordPress
リモートコード実行 (RCE)
CWE-94: コードインジェクション
PHP
|
1ヶ月前
|
|
CVE-2026-28299
|
|
SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when...
SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when...
|
High
|
Cwe 770
サービス拒否 (DoS)
Solarwinds
Web Help Desk
|
1ヶ月前
|
|
CVE-2026-7195
|
|
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x,...
CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x,...
|
High
|
CWE-20: 入力検証の不備
Web Services
リモートコード実行 (RCE)
PHP
+2
|
1ヶ月前
|
|
CVE-2026-7201
|
|
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity...
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity...
|
High
|
Cwe 639
認証バイパス
Progress
Sitefinity
|
1ヶ月前
|
|
CVE-2026-7313
|
|
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from...
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from...
|
High
|
Cwe 522
リモートコード実行 (RCE)
PHP
Progress
+1
|
1ヶ月前
|
|
CVE-2026-39552
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
リモートコード実行 (RCE)
+1
|
1ヶ月前
|
|
CVE-2026-39555
|
|
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
|
High
|
安全でないデシリアライゼーション
CWE-502: 安全でないデシリアライゼーション
WordPress
PHP
|
1ヶ月前
|
|
CVE-2025-68886
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
リモートコード実行 (RCE)
|
1ヶ月前
|
|
CVE-2025-69369
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
ローカルファイル インクルージョン
|
1ヶ月前
|
|
CVE-2024-21182
KEV
|
|
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)...
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)...
|
High
|
Oracle Weblogic
リモートコード実行 (RCE)
CWE-94: コードインジェクション
C
+2
|
1ヶ月前
|
|
CVE-2026-48557
|
|
Spatie Laravel Media Library contains a file upload restriction bypass
Spatie Laravel Media Library contains a file upload restriction bypass
|
High
|
PHP
Laravel
Apache
Cwe 184
|
1ヶ月前
|
|
CVE-2026-49368
|
|
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
|
High
|
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
Jetbrains
High Severity
+1
|
1ヶ月前
|
|
CVE-2026-45555
|
|
csharp に コードインジェクション (CVE-2026-45555)
csharp に コードインジェクション (CVE-2026-45555) が存在。悪用されるとシステム全体を乗っ取られる可能性があります。``get_diagnostics`` 経由で攻撃可能。対策: `1.17.0` 以上に更新。
|
High
|
C#
CWE-94: コードインジェクション
リモートコード実行 (RCE)
|
1ヶ月前
|
|
CVE-2026-45615
|
|
c の脆弱性 (CVE-2026-45615)
c に 脆弱性 (CVE-2026-45615) が存在。不正な操作・情報露出のリスクがあります。``INTEGER_decode_oer`` 経由で攻撃可能。
|
High
|
C
サービス拒否 (DoS)
CWE-20: 入力検証の不備
Cwe 125
+5
|
1ヶ月前
|
|
CVE-2026-44698
|
|
CVE-2026-44698 に コードインジェクション (CVE-2026-44698)
CVE-2026-44698 に コードインジェクション (CVE-2026-44698) が存在。悪用されるとシステム全体を乗っ取られる可能性があります。``window.externalApp`` 経由で攻撃可能。対策: `2026.4.1` 以上に更新。
|
High
|
JavaScript
CWE-94: コードインジェクション
Cwe 346
Cwe 749
+3
|
1ヶ月前
|
|
CVE-2026-10073
|
|
path-traversal の脆弱性 (CVE-2026-10073)
path-traversal に 脆弱性 (CVE-2026-10073) が存在。機密情報が外部に流出する可能性があります。
|
High
|
パストラバーサル
Cwe 23
|
1ヶ月前
|
|
CVE-2026-4776
|
|
Mautic has SQL Injection in API Contact Filtering
Mautic has SQL Injection in API Contact Filtering
|
High
|
SQLインジェクション
CWE-89: SQLインジェクション
|
1ヶ月前
|
|
CVE-2025-11262
|
|
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
|
High
|
WordPress
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
PHP
|
1ヶ月前
|
|
CVE-2026-42760
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
|
High
|
WordPress
認証バイパス
Cwe 288
|
1ヶ月前
|
|
CVE-2026-42762
|
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
|
High
|
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
WordPress
PHP
|
1ヶ月前
|
|
CVE-2026-42746
|
|
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for...
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for...
|
High
|
Cwe 201
PHP
WordPress
|
1ヶ月前
|
|
CVE-2026-42753
|
|
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
|
High
|
Cwe 862
WordPress
認証バイパス
|
1ヶ月前
|
|
CVE-2026-42735
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
|
High
|
認証バイパス
Cwe 288
WordPress
PHP
|
1ヶ月前
|
|
CVE-2026-42736
|
|
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp...
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp...
|
High
|
Cwe 639
WordPress
IDOR (安全でない直接オブジェクト参照)
|
1ヶ月前
|
|
CVE-2026-42737
|
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
|
High
|
パストラバーサル
CWE-22: パストラバーサル
WordPress
PHP
|
1ヶ月前
|
|
CVE-2026-42745
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
|
High
|
認証バイパス
Cwe 288
WordPress
PHP
|
1ヶ月前
|
|
CVE-2026-42730
|
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
|
High
|
SQLインジェクション
CWE-89: SQLインジェクション
WordPress
PHP
|
1ヶ月前
|
|
CVE-2026-2253
|
|
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0,...
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0,...
|
High
|
Cwe 611
クロスサイトスクリプティング (XSS)
Xml
Hitachi
+1
|
1ヶ月前
|
|
CVE-2026-5260
|
|
A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret...
A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret...
|
High
|
Cwe 1284
TLS/SSL
リモートコード実行 (RCE)
Cwe 126
|
1ヶ月前
|
|
CVE-2026-9584
|
|
A security vulnerability has been detected in code-projects Project Management System 1.0....
A security vulnerability has been detected in code-projects Project Management System 1.0....
|
High
|
PHP
SQLインジェクション
Cwe 74
CWE-89: SQLインジェクション
+2
|
1ヶ月前
|
|
CVE-2026-42013
|
|
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name ...
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name ...
|
High
|
Cwe 1284
Gnutls
認証バイパス
Cwe 295
|
1ヶ月前
|
|
CVE-2026-27891
|
|
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the f...
FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leadin...
|
High
|
PHP
リモートコード実行 (RCE)
パストラバーサル
CWE-20: 入力検証の不備
+2
|
1ヶ月前
|
|
CVE-2026-46367
|
|
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
|
High
|
JavaScript
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
PHP
+1
|
1ヶ月前
|
|
CVE-2026-46359
|
|
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
|
High
|
SQLインジェクション
CWE-89: SQLインジェクション
phpMyFAQ
PHP
+1
|
1ヶ月前
|
|
CVE-2026-46366
|
|
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
|
High
|
Cwe 863
phpMyFAQ
PHP
認証バイパス
|
1ヶ月前
|
|
CVE-2021-47966
|
|
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in...
|
High
|
PHP
SQLインジェクション
CWE-89: SQLインジェクション
|
1ヶ月前
|
|
CVE-2021-47959
|
|
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
|
High
|
WordPress
サービス拒否 (DoS)
Cwe 770
PHP
|
1ヶ月前
|
|
CVE-2021-47963
|
|
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to...
|
High
|
JavaScript
リモートコード実行 (RCE)
クロスサイトスクリプティング (XSS)
CWE-79: クロスサイトスクリプティング (XSS)
+2
|
1ヶ月前
|
|
CVE-2026-4094
|
|
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
|
High
|
WordPress
Cwe 862
PHP
CSRF (クロスサイトリクエストフォージェリ)
|
1ヶ月前
|
|
CVE-2026-46445
|
|
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
|
High
|
SQLインジェクション
CWE-89: SQLインジェクション
PostgreSQL
|
1ヶ月前
|
|
CVE-2026-46446
|
|
SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored,...
SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored,...
|
High
|
SQLインジェクション
CWE-89: SQLインジェクション
MariaDB
PostgreSQL
|
1ヶ月前
|
|
CVE-2026-8321
|
|
A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function...
A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function...
|
High
|
認証バイパス
Cwe 287
Cwe 288
TypeScript
|
1ヶ月前
|
|
CVE-2026-45223
|
|
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user...
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user...
|
High
|
C
認証バイパス
Cwe 290
|
1ヶ月前
|
|
CVE-2026-45224
|
|
Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution
Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution
|
High
|
パストラバーサル
CWE-22: パストラバーサル
|
1ヶ月前
|