Secure Gatev1.0.0新着セキュリティニュース バックナンバー

新着セキュリティニュース バックナンバー

直近表示から外れた情報を確認できます。診断結果とは別情報として扱います。

総件数211078件
表示件数50件/ページ
ページ60

CVE-2026-57437

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.

CVE-2026-57436

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

CVE-2026-57435

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.

CVE-2026-57434

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.

CVE-2026-57236

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.

CVE-2026-57235

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node. This vulnerability is fixed in 1.19.4.

CVE-2026-57234

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

CVE-2026-49319

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication.  An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly. During testing, replaying the first captured transmission caused the RKES to enter a state in which replaying the second captured transmission resulted in a successful lock or unlock operation of the vehicle. Tested and confirmed on a 2024 Suzuki Swift (SWIFT ISG GLS AC 1.2 5P 4x2 TM).

CVE-2026-46735

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.

CVE-2026-13314

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.

CVE-2026-13225

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order.

CVE-2026-13223

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

CVE-2026-13222

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

CVE-2026-57619

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.

CVE-2026-57429

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.

CVE-2026-56122

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

CVE-2026-56071

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.

CVE-2026-56054

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.

CVE-2026-56053

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions.

CVE-2026-56051

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions.

CVE-2026-56050

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a through 33.0.18.

CVE-2026-56049

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions.

CVE-2026-56042

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.

CVE-2026-56023

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.

CVE-2026-56014

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.

CVE-2026-56013

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.

CVE-2026-56006

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.

CVE-2026-56005

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.

CVE-2026-54849

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

CVE-2026-54848

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.

CVE-2026-54845

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.

CVE-2026-54844

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions.

CVE-2026-54843

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.

CVE-2026-54842

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25.

CVE-2026-54841

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.

CVE-2026-54838

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.

CVE-2026-54836

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5.

CVE-2026-54830

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions.

CVE-2026-54829

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.

CVE-2026-54828

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.

CVE-2026-54823

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.

CVE-2026-54822

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.

CVE-2026-54821

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions.

CVE-2026-52690

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.

CVE-2026-4526

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

In EmberZNet v9.0.2 and earlier, malformed global ZCL messages can trigger out-of-bounds reads in framework parsing logic and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed.

CVE-2026-49506

Threat Intelligence NVD CVE 危険度: high 緊急度: high

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.

CVE-2026-47154

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

In EmberZNet v9.0.2 and earlier, a malformed GetProfileResponse message can trigger out-of-bounds reads while iterating interval entries and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Simple Metering cluster may be impacted.

CVE-2026-47153

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

In EmberZNet v9.0.2 and earlier, a malformed Level Control Step command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.

CVE-2026-47152

Threat Intelligence NVD CVE 危険度: medium 緊急度: medium

In EmberZNet v9.0.2 and earlier, a malformed Level Control Move command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.