Naver
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Naver product.
RSS Feeds for Naver security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Naver products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Naver Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 4 vulnerabilities in Naver with an average score of 6.6 out of ten. Last year, in 2025 Naver had 6 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Naver in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.66
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 6.63 |
| 2025 | 6 | 8.28 |
| 2024 | 6 | 0.00 |
| 2023 | 1 | 5.50 |
| 2022 | 2 | 7.80 |
| 2021 | 2 | 9.30 |
| 2020 | 2 | 0.00 |
| 2019 | 2 | 0.00 |
It may take a day or so for new Naver vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Naver Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-8148 | May 08, 2026 |
Local Priv Escalation in Naver MyBox Explorer <3.0.11.160 via RegistryNAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. |
|
| CVE-2026-1513 | Jan 28, 2026 |
Billboard.js <3.18.0 RCE via Improper JS Sanitizationbillboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. |
|
| CVE-2026-23769 | Jan 16, 2026 |
lucy-xss-filter XSS via Misconfigured Default Superset Ruleslucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. |
|
| CVE-2026-23768 | Jan 16, 2026 |
lucy-xss-filter SSRF via Embed/Object tags missing extensionlucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. |
|
| CVE-2025-69235 | Dec 30, 2025 |
Whale browser before 4.35.351.12Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. |
Whale Browser
|
| CVE-2025-69234 | Dec 30, 2025 |
Whale browser before 4.35.351.12Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment. |
Whale Browser
|
| CVE-2025-62585 | Oct 16, 2025 |
Whale Browser <4.33.325.17: CSP Bypass via DualTab SchemeWhale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment. |
Whale Browser
|
| CVE-2025-62584 | Oct 16, 2025 |
Whale browser <=4.33.325.17 SOP Bypass via Dual-TabWhale browser before 4.33.325.17 allows an attacker to bypass the Same-Origin Policy in a dual-tab environment. |
Whale Browser
|
| CVE-2025-62583 | Oct 16, 2025 |
Whale Browser <4.33.325.17 iframe sandbox escapeWhale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment. |
|
| CVE-2025-49223 | Jun 04, 2025 |
Billboard.js <3.15.1 Prototype Pollution via generate() Prototypebillboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. |
Billboard Js
|
| CVE-2024-28212 | Mar 07, 2024 |
nGrinder<3.5.9: SnakeYAML Deserialization Allows Remote Code ExecnGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization. |
Ngrinder
|
| CVE-2024-28211 | Mar 07, 2024 |
nGrinder <3.5.9 RMI/JMX allows remote code execnGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker. |
Ngrinder
|
| CVE-2024-28213 | Mar 07, 2024 |
nGrinder <3.5.9 Java Deserialization RCE Unauth Object InjectionnGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization. |
Ngrinder
|
| CVE-2024-28214 | Mar 07, 2024 |
nGrinder < 3.5.9: Unlimited delay leads to DoSnGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker. |
Ngrinder
|
| CVE-2024-28215 | Mar 07, 2024 |
nGrinder <3.5.9: Unauthorized Webhook Config Creation (CVE-2024-28215)nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. |
Ngrinder
|
| CVE-2024-28216 | Mar 07, 2024 |
nGrinder <3.5.9: Webhook Data Leak & SSRF (CVE-2024-28216)nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery. |
Ngrinder
|
| CVE-2023-25632 | Nov 27, 2023 |
Android Whale Browser <3.0.1.2 Bypass Unlock via Open in WhaleThe Android Mobile Whale browser app before 3.0.1.2 allows the attacker to bypass its browser unlock function via 'Open in Whale' feature. |
Whale Browser
|
| CVE-2020-9754 | Jun 27, 2022 |
NAVER Whale browser mobile app before 1.10.6.2NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode. |
Whale Browser
|
| CVE-2022-24077 | Jun 13, 2022 |
Naver Cloud Explorer BetaNaver Cloud Explorer Beta allows the attacker to execute arbitrary code as System privilege via malicious DLL injection. |
Cloud Explorer
|
| CVE-2021-33592 | Jul 19, 2021 |
NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml fileNAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function. |
Toolbar
|
| CVE-2021-33591 | May 28, 2021 |
An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0An exposed remote debugging port in Naver Comic Viewer prior to 1.0.15.0 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
Comic Viewer
|
| CVE-2020-9752 | Mar 23, 2020 |
Naver Cloud Explorer before 2.2.2.11Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe. |
Cloud Explorer
|
| CVE-2020-9751 | Mar 03, 2020 |
Naver Cloud Explorer before 2.2.2.11Naver Cloud Explorer before 2.2.2.11 allows the system to download an arbitrary file from the attacker's server and execute it during the upgrade. |
Cloud Explorer
|
| CVE-2019-13157 | Nov 22, 2019 |
nsGreen.dll in Naver Vaccine 2.1.4nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive. |
Vaccine
|
| CVE-2019-13156 | Sep 03, 2019 |
NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer overflow, whichNDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer overflow, which allows attackers to cause a denial of service when reading data from IOCTL handle. |
Cloud Explorer
|