Secure Gatev1.0.0新着セキュリティニュース バックナンバー

新着セキュリティニュース バックナンバー

直近表示から外れた情報を確認できます。診断結果とは別情報として扱います。

総件数212151件
表示件数50件/ページ
ページ121

CVE-2026-39445

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.

CVE-2026-39442

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.

CVE-2026-10641

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.

CVE-2025-69189

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3.

CVE-2025-69175

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions.

CVE-2025-69174

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Etude <= 1.6 versions.

CVE-2025-69170

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.

CVE-2025-69166

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.

CVE-2025-69164

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Skyward <= 1.10 versions.

CVE-2025-69158

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Granola <= 1.13 versions.

CVE-2025-69157

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.

CVE-2025-69144

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.

CVE-2025-69140

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions.

CVE-2025-69130

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.

CVE-2025-69128

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3.

CVE-2025-69127

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.

CVE-2025-69126

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.

CVE-2025-69123

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.

CVE-2025-69120

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.

CVE-2025-69115

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions.

CVE-2025-69111

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

CVE-2025-69106

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.

CVE-2025-68524

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.

CVE-2025-66391

Threat Intelligence NVD CVE 危険度: high 緊急度: high

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.

CVE-2025-60236

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.

CVE-2025-60231

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

CVE-2025-60230

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

CVE-2025-60229

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0.

CVE-2025-59554

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions.

CVE-2025-15657

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

CVE-2026-9690

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.

CVE-2026-9570

Threat Intelligence NVD CVE 危険度: high 緊急度: high

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

CVE-2026-8607

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-8494

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page.

CVE-2026-8383

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

CVE-2026-8317

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-8089

Threat Intelligence NVD CVE 危険度: high 緊急度: high

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

CVE-2026-7850

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

CVE-2026-5667

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.

CVE-2026-54811

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.

CVE-2026-54807

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions.

CVE-2026-54806

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.

CVE-2026-54805

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions.

CVE-2026-54804

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.

CVE-2026-54803

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.

CVE-2026-54802

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.

CVE-2026-54196

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions.

CVE-2026-54195

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0.1 versions.

CVE-2026-54194

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.