Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by KANATA Limited
JVNDB-2026-000062
Vulnerability from jvndb - Published: 2026-04-23 16:57 - Updated:2026-04-23 16:57
Severity
Summary
CMS ALAYA vulnerable to SQL injection
Details
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000062.html",
"dc:date": "2026-04-23T16:57+09:00",
"dcterms:issued": "2026-04-23T16:57+09:00",
"dcterms:modified": "2026-04-23T16:57+09:00",
"description": "CMS ALAYA provided by KANATA Limited contains the following vulnerability.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/89.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eSQL injection (CWE-89) - CVE-2026-40529\u003c/li\u003e\u003c/ul\u003eNaoto Senda of Five Drive Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000062.html",
"sec:cpe": {
"#text": "cpe:/a:misc:kanata_limited_cm_alaya",
"@product": "CMS ALAYA",
"@vendor": "KANATA Limited",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000062",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN08026319/index.html",
"@id": "JVN#08026319",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-40529",
"@id": "CVE-2026-40529",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "CMS ALAYA vulnerable to SQL injection"
}
CVE-2026-40529 (GCVE-0-2026-40529)
Vulnerability from nvd – Published: 2026-04-23 04:15 – Updated: 2026-04-23 12:25
VLAI
Summary
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN08026319/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| KANATA Limited | CMS ALAYA |
Affected:
7.4.1.4 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:25:30.746075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:25:36.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CMS ALAYA",
"vendor": "KANATA Limited",
"versions": [
{
"status": "affected",
"version": "7.4.1.4 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T04:15:33.414Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN08026319/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-40529",
"datePublished": "2026-04-23T04:15:33.414Z",
"dateReserved": "2026-04-13T23:51:50.290Z",
"dateUpdated": "2026-04-23T12:25:36.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40529 (GCVE-0-2026-40529)
Vulnerability from cvelistv5 – Published: 2026-04-23 04:15 – Updated: 2026-04-23 12:25
VLAI
Summary
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN08026319/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| KANATA Limited | CMS ALAYA |
Affected:
7.4.1.4 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:25:30.746075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:25:36.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CMS ALAYA",
"vendor": "KANATA Limited",
"versions": [
{
"status": "affected",
"version": "7.4.1.4 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T04:15:33.414Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN08026319/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-40529",
"datePublished": "2026-04-23T04:15:33.414Z",
"dateReserved": "2026-04-13T23:51:50.290Z",
"dateUpdated": "2026-04-23T12:25:36.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}