CVE-2026-11933 Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

CVE-2026-11933 Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

CVE-2026-11933

Technical details (affected products, versions, root cause, and remediation) are not publicly available in the provided documents. Please monitor for updates.

Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

EUVD-2026-36372

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

CVE-2026-9125 The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

CVE-2026-9125

Summary: CVE-2026-9125 affects the Presto Player plugin for WordPress (up to version 4.2.0). The root cause is insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme va...

CVE-2026-9125 The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access Digital Credentials

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2026-45740 DESCRIPTION: protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth...

PT-2026-48903

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description Netty is a network application framework for developing protocol servers and clients. The RedisArrayAggregator pre-allocates an ArrayList with an initial...

PT-2026-48831

Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining...

PT-2026-49001

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions prior to 2.0.13 Description The dashboard's NoRoute handler contains a flaw in the fallbackToFrontend function. The system uses strings.HasPrefix to identify admin-frontend asset requests by checking if a URL starts...

PT-2026-48910

Name of the Vulnerable Software and Affected Versions Aqara IAM/SSO gateway affected versions not specified Description The IAM/SSO gateway at 'gw-builder.aqara.com' exposes an unauthenticated AES oracle, allowing bidirectional AES round-trips against the platform's signing key. This occurs due t...

PT-2026-48866

A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password...

PT-2026-48906

The Aqara Cloud Developer Portal developer.aqara.com issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5 Medium. When...

PT-2026-49000

Name of the Vulnerable Software and Affected Versions CodeAstro Human Resource Management System version 1.0 Description An SQL injection issue exists within the Payroll Invoice Module. The flaw is located in the Invoice function of the applicationcontrollersPayroll.php file, where improper...

PT-2026-48835

The authentication mechanism of a certain function in the PcSuite has a defect, which may result in information leakage within the range of a Bluetooth connection...

PT-2026-49004

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.0.0 through 2.1.x Description The getRedirectURL function in oauth2.go constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path without validating the Host header. This allows...

PT-2026-48901

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.15.Final Description Netty QUIC exposes the stateless reset token on the network path when utilizing the default HMAC-based connection-ID and stateless-reset-token generators. Specifically, the...

PT-2026-48817

Name of the Vulnerable Software and Affected Versions MongoDB Server affected versions not specified Description A use-after-free memory corruption flaw exists in the server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who...