PT-2026-39961

The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp update mds AJAX action in all versions up to, and including, 2.2.2. This is due to the wp ajax nopriv lp update mds action being registered without nonce verification or capability...

PT-2026-40189

Name of the Vulnerable Software and Affected Versions Windows Admin Center affected versions not specified Description Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network. This issue can be triggered by abusing the update path,...

Microsoft Windows Admin Center 访问控制错误漏洞

Microsoft Windows Admin Center is a browser-based, locally deployed application developed by Microsoft. This tool is primarily used for managing servers and clusters. Microsoft Windows Admin Center has a vulnerability related to access control. Attackers can exploit this vulnerability to gain...

PT-2026-40330

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

PT-2026-39920

Name of the Vulnerable Software and Affected Versions SAP Forecasting & Replenishment affected versions not specified Description An OS Command Execution issue exists where an authenticated attacker with administrative authorizations can abuse a non-remote-enabled function to execute arbitrary...

PT-2026-39972

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via check admin referer or wp verify nonce in the...

PT-2026-40291

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL CLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the admin users...

devguard 安全漏洞

Devguard is a software supply chain vulnerability management platform developed by L3montree. Versions prior to 1.2.2 of Devguard contained security vulnerabilities. These vulnerabilities stemmed from SessionMiddleware accepting the X-Admin-Token HTTP request header provided by clients. When no...

Claris FileMaker Cloud 安全漏洞

Claris FileMaker Cloud is a cloud platform provided by the American company Claris, designed for enterprise-level low-code database application development and hosting scenarios. Versions of Claris FileMaker Cloud prior to 2.22.0.5 contained security vulnerabilities. These vulnerabilities stemmed...

PT-2026-40114

An improper neutralization of argument delimiters in a command 'argument injection' vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an...

wiki.js 安全漏洞

Wiki.js is a Wiki application open-sourced by requarks.io. Versions of Wiki.js prior to 2.5.313 contained a security vulnerability. This vulnerability stemmed from the GraphQL mutation in users.update, which accepted an arbitrary groups array and applied it directly to the database without...

PT-2026-39934

UNSUPPORTED WHEN ASSIGNED An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00ABDV.3C0 could allow a local attacker with administrator privileges to download and decrypt a backup configuration file...

PT-2026-40460

Name of the Vulnerable Software and Affected Versions Claris FileMaker Cloud versions prior to 2.22.0.5 Description A Remote Code Execution issue allows a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types. This bypass enables the execution of arbitra...

PT-2026-40232

Name of the Vulnerable Software and Affected Versions Windows Admin Center affected versions not specified Description Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. Recommendations At the moment, there is no information about a...

PT-2026-39964

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps Admin AppPage function. This makes it possible for unauthenticated attackers to trick a site...

PT-2026-40350

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...

PT-2026-40459

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2 Description ChurchCRM is an open-source church management system. The UserEditor.php file processes user account creation and permission updates using $ POST parameters without validating Cross-Site Request...

PT-2026-40368

Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending...

Siemens SENTRON 7KT PAC1261 Data Manager

SUMMARY The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has...

PT-2026-40001

The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...