Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2026 1st Quarter (Jan. - Mar.)]

Release Date:May 20, 2026

IT Security Center

1. 2026 1st Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia is endeavoring to become a comprehensive vulnerability database where vulnerability information is aggregated for easy access for IT users. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (footnote 1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (footnote 2), a vulnerability database run by NIST (footnote 3). JVN iPedia has been making vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in the 1st Quarter of 2026

JVN iPedia now stores 277,036 vulnerabilities

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the first quarter (January 1 to March 31) of 2026 is shown in the table below. As of the end of March 2026, the total number of vulnerabilities stored in JVN iPedia is 277,036 (Table 1-1, Figure 1-1).

As for the JVN iPedia English version, the total number of vulnerabilities stored is 3,204 as shown in the Table 1-2.

Table 1-1. Vulnerabilities Registered in JVN iPedia in the 1st Quarter of 2026 (Japanese Version)

Information Source	Registered Cases	Cumulative Cases
Domestic Software Developers	23 cases	314 cases
JVN	166 cases	17,479 cases
NVD	11,416 cases	259,243 cases
Total	11,605 cases	277,036 cases

Table 1-2. Vulnerabilities Registered in JVN iPedia in the 1st Quarter of 2026 (English Version)

Information Source	Registered Cases	Cumulative Cases
Domestic Software Developers	23 cases	317 cases
JVN	60 cases	2,887 cases
Total	83 cases	3,204 cases

2. Details on JVN iPedia Registered Data

2-1. Types of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the first quarter (January 1 to March 31) of 2026, sorted by the CWE vulnerability types.

The most frequently reported vulnerability type in the first quarter is CWE-79 (Cross-Site Scripting) with 1,163 cases, followed by CWE-74 (Injection) with 406 cases, CWE-22 (Path Traversal) with 402 cases, CWE-89 (SQL Injection) with 393 cases, and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 337 cases. CWE-79 (Cross-Site Scripting), the most commonly reported vulnerability type in this quarter, could allow attackers to inject malicious content into webpages and/or steal information.

Software developers need to make sure to mitigate vulnerability from the planning and design phase of software development. IPA provides tools and guidelines, such as “Vulnerability Countermeasure Guide for Software Developers” (footnote 4), “How to Secure Your Web-site” (footnote 5), and “AppGoat” (footnote 6), a hands-on venerability learning tool, for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual changes in vulnerabilities registered in JVN iPedia, categorized by severity level based on CVSS v2 scores.

Among the vulnerabilities registered in JVN iPedia in 2026, 42.7% are classified as Level 3 (7.0–10.0), 45.4% as Level 2 (4.0–6.9), and 11.9% as Level 1 (0.0–3.9). Overall, 88.1% are Level 2 or higher, indicating a high proportion of vulnerabilities that may lead to information exposure or data tampering.

The significant decrease in the number of CVSSv2 registrations in JVN iPedia since 2024 is due to the fact that CVSSv2 is no longer actively assessed by NVD, the information source for JVN iPedia (footnote 7).

Figure 2-3 shows the annual changes in vulnerabilities registered in JVN iPedia, categorized by severity level based on CVSS v3 scores.

Among the vulnerabilities registered in JVN iPedia in 2026, 15.7% are classified as “Critical” (9.0–10.0), 40.6% as “High” (7.0–8.9), 41.7% as “Medium” (4.0–6.9), and 2.0% as “Low” (0.1–3.9).

To avoid the threats posed by the known vulnerabilities, both product developers and IT users should pay close attention to vulnerability disclosures and update the software they use to a fixed version or apply a security patch as soon as it becomes available. They can also check JVN iPedia for new vulnerabilities that are in RSS and XML formats (footnote 8).

2-3. Types of Software Reported with Vulnerability

Figure 2-4 shows the annual changes in the number of vulnerabilities registered in JVN iPedia, aggregated by software product type. Vulnerabilities related to applications account for the largest share in 2026, representing 71.9% (8,347 out of 11,605) of the total for that year.

Figure 2-5 shows the annual changes in the number of vulnerabilities in industrial control systems (ICS), including those used in critical infrastructure, as registered in JVN iPedia. As of March 2026, a total of 8,353 ICS vulnerabilities have been registered.

2-4. Products Reported with Vulnerability

Table 2-1 lists the top 20 software products with the highest number of vulnerabilities registered in JVN iPedia during the first quarter (January 1 to March 31) of 2026.

This quarter, Qualcomm components had the highest number of registered vulnerabilities, followed by the Linux kernel and Microsoft operating systems.

In addition to the products listed in the top 20 list, JVN iPedia provides a wide range of vulnerability information. Software developers and users are encouraged to utilize JVN iPedia to quickly obtain information on vulnerabilities affecting the software used in their organizations and take appropriate action promptly (footnote 9).

Table 2-1. Top 20 most registered software products vulnerability countermeasure information in JVN iPedia [Jan. – Mar. 2026]

Rank	Category	Product Name (Vendor)	Number of Vulnerabilities Registered
1	Firmware	Qualcomm component (Qualcomm)	6,123
2	OS	Linux Kernel (Linux)	1,055
3	OS	Microsoft Windows 10 (Microsoft)	505
4	OS	Microsoft Windows 11 (Microsoft)	484
5	OS	Microsoft Windows Server 2022 (Microsoft)	292
6	OS	Debian GNU/Linux (Linux)	281
7	AI Agent	OpenClaw (OpenClaw)	188
8	OS	Android (Google)	181
9	OS	Microsoft Windows Server 2025 (Microsoft)	153
10	OS	macOS (Apple)	150
11	OS	Microsoft Windows Server 2019 (Microsoft)	134
12	Browser	Mozilla Firefox (Mozilla Foundation)	123
13	OS	Microsoft Windows Server 2016 (Microsoft)	107
13	Browser	Google Chrome (Google)	107
15	OS	Junos OS (Juniper Networks)	106
16	OS	iPadOS (Apple)	102
16	OS	iOS (Apple)	102
18	Integrated Development Environment	iccDEV (International Color Consortium)	84
19	OS	Microsoft Windows Server 2012 (Microsoft)	83
20	Email Client	Mozilla Thunderbird (Mozilla Foundation)	82

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most frequently accessed Vulnerability Countermeasure Information entries in JVN iPedia during the first quarter (January 1 to March 31) of 2026.

This quarter, all of the top 20 were vulnerability countermeasure information published in Japan Vulnerability Notes (JVN), the vulnerability countermeasure information portal.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. – Mar. 2025]

Rank	ID/Title	CVSSv2 Base Score	CVSSv3 Base Score	Publication Date	Access Count
1	JVNDB-2026-001662 Multiple vulnerabilities in Trend Micro Apex Central (January 2026)	-	-	Jan. 23, 2026	5,205
2	JVNDB-2025-001490 Vulnerability in 7-Zip (in Japanese only)	-	7.0	Feb. 13, 2025	4,350
3	JVNDB-2026-002511 Multiple vulnerabilities in OpenSSL(OpenSSL Security Advisory [27th January 2026])(in Japanese only)	-	-	Feb. 4, 2026	4,013
4	JVNDB-2025-023514 Multiple Vulnerabilities in Python (Python Software Foundation) (in Japanese only)	-	7.5	Jan. 6, 2026	3,914
5	JVNDB-2026-000002 Multiple vulnerabilities in multiple NEC branded projectors manufactured by Sharp Display Solutions, Ltd.	-	-	Jan. 7, 2026	3,592
6	JVNDB-2026-000010 Command injection vulnerability in ASUS routers	-	9.8	Jan. 23, 2026	3,516
7	JVNDB-2026-000004 The installers for multiple PIONEER products may insecurely load Dynamic Link Libraries	-	7.8	Jan. 8, 2026	3,507
8	JVNDB-2026-000009 Installer of Fujitsu ServerView Agents for Windows may insecurely load Dynamic Link Libraries	-	7.8	Jan. 21, 2026	3,414
9	JVNDB-2026-000030 IM-LogicDesigner module of intra-mart Accel Platform vulnerable to untrusted data deserialization	-	7.2	Feb. 27, 2026	3,296
10	JVNDB-2026-000007 Multiple Vulnerabilities in TOA Network Cameras TRIFORA 3 series	-	8.8	Jan. 16, 2026	3,272
11	JVNDB-2026-000001 Origin validation error vulnerability in Fujitsu Security Solution AuthConductor Client Basic V2	-	7.8	Jan. 7, 2026	3,159
12	JVNDB-2025-024320 NULL Pointer Dereference vulnerability in multiple products including Debian (in Japanese only)	-	5.5	Jan. 9, 2026	3,007
13	JVNDB-2026-000019 Multiple vulnerabilities in ELECOM wireless LAN products	-	9.8	Feb. 3, 2026	3,004
14	JVNDB-2025-024327 ETAP Safety Manager from ETAP Lighting International NV vulnerable to cross-site scripting (in Japanese only)	-	6.1	Jan. 9, 2026	2,961
15	JVNDB-2026-004359 Security information for Hitachi Disk Array Systems	-	-	Feb. 20, 2026	2,935
16	JVNDB-2026-000026 Lanscope Endpoint Manager (On-Premises) vulnerable to path traversal	-	9.8	Feb. 25, 2026	2,891
17	JVNDB-2025-024321 Meltytech Shotcut vulnerable to Classic Buffer Overflow (in Japanese only)	-	9.8	Jan.9, 2026	2,842
18	JVNDB-2026-001663 "iRMC S5/S6" implemented in PRIMERGY vulnerable to incorrect authorization	-	-	Jan. 23, 2026	2,828
19	JVNDB-2026-003935 Use After Free vulnerability in Google Chrome (in Japanese only)	-	8.8	Feb. 19, 2026	2,795
20	JVNDB-2026-001380 Multiple vulnerabilities in Canon Small Office Multifunction Printers and Laser Printers	-	9.8	Jan. 19, 2026	2,789

Table 3-2 shows the top 5 most accessed Vulnerability Countermeasure Information entries reported by domestic software developers.

Table 3-2. Top 5 Most Accessed Vulnerabilities Reported by Domestic Product Developers [Jan. – Mar. 2025]

Rank	ID/Title	CVSSv2 Base Score	CVSSv3 Base Score	Publication Date	Access Count
1	JVNDB-2026-004359 Security information for Hitachi Disk Array Systems	-	-	Feb. 20, 2026	2,935
2	JVNDB-2026-001582 Security information for Hitachi Disk Array Systems	-	-	Jan. 21, 2026	2,467
3	JVNDB-2026-003905 Multiple Vulnerabilities in Cosminexus HTTP Server and Hitachi Web Server	-	-	Feb. 17, 2026	2,235
4	JVNDB-2026-003906 Multiple Vulnerabilities in Cosminexus	-	-	Feb. 17, 2026	2,182
5	JVNDB-2026-003908 Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center	-	-	Feb. 17, 2026	2,134

Footnotes

(1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(2) National Vulnerability Database: A vulnerability database operated by NIST.

(3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(4) Vulnerability Countermeasure Guide for Software Developers (in Japanese only)

(5) How to Secure Your Websites (latest version in Japanese only)

(6) AppGoat (in Japanese only)

(7) NIST - "Retirement of CVSS v2"

(8) IPA Data Feeds (in Japanese only)

(9) IPA Technical Watch - Daily Practice Guide (in Japanese only): Tips on Vulnerability Management The guide gives tips on how to efficiently collect and leverage vulnerability information.

Past Quarterly Reports

Quarterly Reports of the JVN iPedia Registration Status

Contact information

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)