PT-2026-52435

Name of the Vulnerable Software and Affected Versions JS Help Desk versions prior to 3.1.2 Description Low-privileged subscribers can remotely delete critical files due to a path traversal issue. Path traversal is a flaw that allows an attacker to access or manipulate files outside the intended...

PT-2026-52514

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description The patch application pipeline @pnpm/patch-package fails to validate file paths extracted from .patch files. An attacker can provide a malicious patch file containing...

PT-2026-52513

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description pnpm passes the git resolution.commit value from the lockfile to the git fetch command without using a -- separator or performing commit-format validation. When git...

PT-2026-52522

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions prior to 11.5.3 Description pnpm allows the installation of configDependencies declared in pnpm-workspace.yaml before command dispatch. A repository can declare pacquet or @pnpm/pacquet as a config...

PT-2026-52523

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions prior to 11.5.3 Description pnpm persists package-manager bootstrap metadata within the first YAML document of the pnpm-lock.yaml file. The software trusted previously resolved...

PT-2026-52536

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description The Hook Authentication feature allows administrators to delegate login verification to an external shell command. The application uses os.Expand to interpolate user-supplied credentials into...

PT-2026-52626

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description An issue exists in the performance and fault management framework where improper handling of deserialized data leads to SQL Injection. In the 'managers.php' file, the application processes the selecte...

PT-2026-52588

Name of the Vulnerable Software and Affected Versions wolfSSL versions prior to 5.9.1 Description The PKCS7 decode path fails to respect the caller-supplied output buffer size outputSz. This allows decoded content to be written beyond the boundaries of the provided buffer, leading to a buffer...

PT-2026-52587

Name of the Vulnerable Software and Affected Versions wolfSSL versions prior to 5.9.1 Description A heap buffer overflow occurs in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The issue stems from an integer truncation when calculating the length of the ACK...

GitLab 17.11 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-5952)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an...

Anthropic Claude Code 0.2.54 < 2.1.163 Data Exfiltration (CVE-2026-54316)

The version of Anthropic Claude Code installed on the remote host is 0.2.54 prior to 2.1.163. It is, therefore, affected by a data exfiltration vulnerability. - Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain including...

vtk vtk-dicom vtkDICOMItem::FindDataElementOrInsert heap-based buffer overflow vulnerability

Summary A heap-based buffer overflow vulnerability exists in the vtkDICOMItem::FindDataElementOrInsert functionality of vtk-dicom versions: 9.5.2. A specially crafted DICOM file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability...

LangChain < 1.3.9 Path Traversal (CVE-2026-55443)

The version of LangChain installed on the remote host is prior to 1.3.9. It is, therefore, affected by a path traversal vulnerability: - Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root director...

Dell Wyse Management Suite < 2605 Multiple Vulnerabilities (DSA-2026-247)

The version of Dell Wyse Management Suite installed on the remote host is prior to 2605. It is, therefore, affected by multiple vulnerabilities, including: - Dell Wyse Management Suite WMS, versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command...

Linux Distros Unpatched Vulnerability : CVE-2026-54905

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread...

GitLab 19.1 < 19.1.1 (CVE-2026-12053)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been...

Oracle WebCenter Portal (June 2026 CSPU)

The 12.2.1.4.0 and 14.1.2.0.0 versions of WebCenter Portal installed on the remote host are affected by multiple vulnerabilities as referenced in the June 2026 CSPU advisory. - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware component: Security Framework. Supporte...

CVE-2026-40079 Cacti: Command Injection via escape_command() no-op in RRDtool execution

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escapecommand function. The escapecommand function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built ...

CVE-2026-40079

Cacti 1.2.30 and earlier are vulnerable to a Command Injection due to a no‑op escape_command() in lib/rrd.php, which returns the command unchanged. The graph command assembled by rrdtool_function_graph() is passed to shell_exec via __rrd_execute(), with possible host variable substitutions from g...

DEBIAN-CVE-2026-39900

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the authprofile.php JavaScript context. This issue has been fixed in version 1.2.31...