PT-2026-49003

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.0.0 through 2.1.x Description The dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: "/api/v1/terminal" which triggers the createTerminal function, and "/api/v1/file" which...

PT-2026-48931

Name of the Vulnerable Software and Affected Versions chisel affected versions not specified Description Authenticated clients can bypass Access Control List ACL restrictions defined via the --authfile parameter to tunnel traffic to arbitrary destinations reachable from the server. While the serv...

PT-2026-49088

Name of the Vulnerable Software and Affected Versions GD for Perl versions prior to 2.86 Description The make filehandle function in GD::Image uses Perl's 2-arg open to process filename arguments. This allows OS command injection and file overwrite if a filename begins or ends with a pipe e.g., "...

PT-2026-48992

Name of the Vulnerable Software and Affected Versions Kitty versions 0.47.0 through 0.47.1 Description In the kitten dnd component, a malicious remote drag-and-drop source can overwrite or truncate arbitrary files that the local user has permission to write. This occurs because remote text/uri-li...

PT-2026-48901

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.15.Final Description Netty QUIC exposes the stateless reset token on the network path when utilizing the default HMAC-based connection-ID and stateless-reset-token generators. Specifically, the...

PT-2026-49605

Name of the Vulnerable Software and Affected Versions Squid Proxy affected versions not specified Description A Heartbleed-style memory leak exists in the default configuration of Squid Proxy. The issue stems from a heap buffer overread in the FTP directory listing parser, caused by a...

PT-2026-48990

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.17.5 Description The software uses the allowedSchemesAppliedToAttributes variable to control the naughtyHref function, which is designed to block dangerous URI schemes such as javascript: and vbscript:. Howeve...

PT-2026-49034

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22 Description A webhook secret revocation bypass allows callers using outdated Slack and Zalo webhook secrets to remain active after the secrets.reload function is executed. This creates a stale-secret window...

PT-2026-48883

Name of the Vulnerable Software and Affected Versions jmespath.php versions prior to 2.9.1 Description Insufficient escaping of parsed JMESPath function names into generated PHP source allows for the generation and execution of attacker-controlled PHP code. This occurs when JmesPathCompilerRuntim...

PT-2026-48847

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A logic error in the OAuthRequestFilter function causes legitimate requests from the bound IP address to be rejected, while requests from any other IP address ar...

PT-2026-49065

Summary Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the...

PT-2026-48909

Name of the Vulnerable Software and Affected Versions Aqara Board service affected versions not specified Description The Aqara Board service at the endpoint "op-test.aqara.com" accepts arbitrary MQTT command payloads and forwards them to the platform's HiveMQ broker without authentication. This...

PT-2026-48920

Name of the Vulnerable Software and Affected Versions Crypt::PBKDF2 versions prior to 0.261630 Description Crypt::PBKDF2 for Perl generates insecure random values for salts. This occurs because the software utilizes the built-in rand function, which is predictable and unsuitable for cryptographic...

PT-2026-48988

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.3 Discourse versions 2026.3.0 Discourse versions 2026.4.0 Description When the SiteSetting.tags listed by group setting is enabled, the DetailedTagSerializertag group names function returns all tag...

PT-2026-48987

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.3 Discourse versions 2026.3.0 through 2026.3.0 Discourse versions 2026.4.0 through 2026.4.0 Description An issue exists in the Jobs::RedeliverWebHookEvents function where the MessageBus.publish call f...

PT-2026-48818

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link url' parameter of the presto player overlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which...

Linux Distros Unpatched Vulnerability : CVE-2026-10142

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker t...

EulerOS Virtualization 2.13.1 : avahi (EulerOS-SA-2026-2365)

According to the versions of the avahi packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc...

EulerOS Virtualization 2.13.1 : sqlite (EulerOS-SA-2026-2389)

According to the versions of the sqlite packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows...

EulerOS Virtualization 2.13.1 : openjpeg2 (EulerOS-SA-2026-2381)

According to the versions of the openjpeg2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opjpiinitialiseencode in the library...