Vendor CVEs
Naver
All CVEs
35 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-9752 | Cri | 0.64 | 9.8 | 0.01 | Mar 23, 2020 | Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe. | ||
| CVE-2024-40618 | Cri | 0.62 | 9.6 | 0.00 | Jul 11, 2024 | Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension. | ||
| CVE-2020-9753 | Cri | 0.59 | 9.1 | 0.01 | May 20, 2020 | Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer. | ||
| CVE-2020-9751 | Cri | 0.59 | 9.1 | 0.00 | Mar 3, 2020 | Naver Cloud Explorer before 2.2.2.11 allows the system to download an arbitrary file from the attacker's server and execute it during the upgrade. | ||
| CVE-2021-33591 | Hig | 0.57 | 8.8 | 0.02 | May 28, 2021 | An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | ||
| CVE-2018-9859 | Hig | 0.53 | 8.1 | 0.01 | Jun 16, 2018 | The path of Whale update service was unquoted in NAVER Whale before 1.0.40.7. This vulnerability can be used for persistent privilege escalation if it's available to create an executable file with System privilege by other vulnerable applications. | ||
| CVE-2026-8148 | Hig | 0.51 | 7.8 | 0.00 | May 8, 2026 | NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. | ||
| CVE-2022-24077 | Hig | 0.51 | 7.8 | 0.00 | Jun 13, 2022 | Naver Cloud Explorer Beta allows the attacker to execute arbitrary code as System privilege via malicious DLL injection. | ||
| CVE-2018-12449 | Hig | 0.51 | 7.8 | 0.01 | Oct 11, 2018 | The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking. | ||
| CVE-2019-13157 | Hig | 0.49 | 7.5 | 0.02 | Nov 22, 2019 | nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive. | ||
| CVE-2019-13156 | Hig | 0.49 | 7.5 | 0.01 | Sep 3, 2019 | NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer overflow, which allows attackers to cause a denial of service when reading data from IOCTL handle. | ||
| CVE-2022-24073 | Hig | 0.46 | 7.1 | 0.01 | Mar 17, 2022 | The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. | ||
| CVE-2022-24075 | Med | 0.42 | 6.5 | 0.01 | Mar 17, 2022 | Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files. | ||
| CVE-2024-50583 | Med | 0.41 | 6.3 | 0.00 | Oct 25, 2024 | Whale browser Installer before 3.1.0.0 allows an attacker to execute a malicious DLL in the user environment due to improper permission settings. | ||
| CVE-2016-5060 | Med | 0.40 | 6.1 | 0.02 | Dec 13, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save. | ||
| CVE-2020-9754 | Med | 0.35 | 5.3 | 0.01 | Jun 27, 2022 | NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode. | ||
| CVE-2021-33593 | Med | 0.35 | 5.3 | 0.01 | Nov 2, 2021 | Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing. | ||
| CVE-2018-12448 | Med | 0.35 | 5.3 | 0.01 | Aug 2, 2018 | Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name. | ||
| CVE-2018-7635 | Med | 0.35 | 5.3 | 0.01 | Jul 3, 2018 | Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name. | ||
| CVE-2022-24071 | Med | 0.28 | 4.3 | 0.01 | Jan 28, 2022 | A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal APIs. | ||
| CVE-2024-28212 | 0.01 | — | 0.01 | Mar 7, 2024 | nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization. | |||
| CVE-2026-1513 | 0.00 | — | 0.00 | Jan 28, 2026 | billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | |||
| CVE-2025-14023 | 0.00 | — | 0.00 | Dec 15, 2025 | LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions. | |||
| CVE-2025-58323 | 0.00 | — | 0.00 | Aug 29, 2025 | NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by executing arbitrary files due to improper privilege checks. | |||
| CVE-2025-58322 | 0.00 | — | 0.00 | Aug 28, 2025 | NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by invoking arbitrary DLLs due to improper privilege checks. | |||
| CVE-2025-49223 | 0.00 | — | 0.01 | Jun 4, 2025 | billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||
| CVE-2024-28216 | 0.00 | — | 0.00 | Mar 7, 2024 | nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. | |||
| CVE-2024-28215 | 0.00 | — | 0.01 | Mar 7, 2024 | nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. | |||
| CVE-2024-28214 | 0.00 | — | 0.01 | Mar 7, 2024 | nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker. | |||
| CVE-2024-28213 | 0.00 | — | 0.01 | Mar 7, 2024 | nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization. | |||
| CVE-2024-28211 | 0.00 | — | 0.01 | Mar 7, 2024 | nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker. | |||
| CVE-2014-6980 | 0.00 | — | 0.00 | Oct 16, 2014 | The LINE PLAY (aka jp.naver.lineplay.android) application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||
| CVE-2012-5183 | 0.00 | — | 0.01 | Dec 26, 2012 | The Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files. | |||
| CVE-2012-5182 | 0.00 | — | 0.01 | Dec 26, 2012 | The Loctouch application 3.4.6 and earlier for Android does not properly handle implicit intents, which allows attackers to obtain sensitive information about logged locations via a crafted application. | |||
| CVE-2012-4005 | 0.00 | — | 0.01 | Aug 7, 2012 | The NHN Japan NAVER LINE application before 2.5.5 for Android does not properly handle implicit intents, which allows remote attackers to obtain sensitive message information via a crafted application. |
- risk 0.64cvss 9.8epss 0.01
Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe.
- risk 0.62cvss 9.6epss 0.00
Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension.
- risk 0.59cvss 9.1epss 0.01
Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer.
- risk 0.59cvss 9.1epss 0.00
Naver Cloud Explorer before 2.2.2.11 allows the system to download an arbitrary file from the attacker's server and execute it during the upgrade.
- risk 0.57cvss 8.8epss 0.02
An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
- risk 0.53cvss 8.1epss 0.01
The path of Whale update service was unquoted in NAVER Whale before 1.0.40.7. This vulnerability can be used for persistent privilege escalation if it's available to create an executable file with System privilege by other vulnerable applications.
- risk 0.51cvss 7.8epss 0.00
NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.
- risk 0.51cvss 7.8epss 0.00
Naver Cloud Explorer Beta allows the attacker to execute arbitrary code as System privilege via malicious DLL injection.
- risk 0.51cvss 7.8epss 0.01
The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking.
- risk 0.49cvss 7.5epss 0.02
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
- risk 0.49cvss 7.5epss 0.01
NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer overflow, which allows attackers to cause a denial of service when reading data from IOCTL handle.
- risk 0.46cvss 7.1epss 0.01
The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store.
- risk 0.42cvss 6.5epss 0.01
Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files.
- risk 0.41cvss 6.3epss 0.00
Whale browser Installer before 3.1.0.0 allows an attacker to execute a malicious DLL in the user environment due to improper permission settings.
- risk 0.40cvss 6.1epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.
- risk 0.35cvss 5.3epss 0.01
NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode.
- risk 0.35cvss 5.3epss 0.01
Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing.
- risk 0.35cvss 5.3epss 0.01
Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name.
- risk 0.35cvss 5.3epss 0.01
Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name.
- risk 0.28cvss 4.3epss 0.01
A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal APIs.
- CVE-2024-28212Mar 7, 2024risk 0.01cvss —epss 0.01
nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.
- CVE-2026-1513Jan 28, 2026risk 0.00cvss —epss 0.00
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
- CVE-2025-14023Dec 15, 2025risk 0.00cvss —epss 0.00
LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions.
- CVE-2025-58323Aug 29, 2025risk 0.00cvss —epss 0.00
NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by executing arbitrary files due to improper privilege checks.
- CVE-2025-58322Aug 28, 2025risk 0.00cvss —epss 0.00
NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by invoking arbitrary DLLs due to improper privilege checks.
- CVE-2025-49223Jun 4, 2025risk 0.00cvss —epss 0.01
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-28216Mar 7, 2024risk 0.00cvss —epss 0.00
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
- CVE-2024-28215Mar 7, 2024risk 0.00cvss —epss 0.01
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
- CVE-2024-28214Mar 7, 2024risk 0.00cvss —epss 0.01
nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
- CVE-2024-28213Mar 7, 2024risk 0.00cvss —epss 0.01
nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
- CVE-2024-28211Mar 7, 2024risk 0.00cvss —epss 0.01
nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.
- CVE-2014-6980Oct 16, 2014risk 0.00cvss —epss 0.00
The LINE PLAY (aka jp.naver.lineplay.android) application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- CVE-2012-5183Dec 26, 2012risk 0.00cvss —epss 0.01
The Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files.
- CVE-2012-5182Dec 26, 2012risk 0.00cvss —epss 0.01
The Loctouch application 3.4.6 and earlier for Android does not properly handle implicit intents, which allows attackers to obtain sensitive information about logged locations via a crafted application.
- CVE-2012-4005Aug 7, 2012risk 0.00cvss —epss 0.01
The NHN Japan NAVER LINE application before 2.5.5 for Android does not properly handle implicit intents, which allows remote attackers to obtain sensitive message information via a crafted application.