272114 matches found
PT-2026-50420
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6...
PT-2026-50424
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0...
PT-2026-50416
Name of the Vulnerable Software and Affected Versions WP Travel Gutenberg Blocks versions prior to 3.9.4 Description Improper Neutralization of Special Elements used in an SQL Command allows Blind SQL Injection. Blind SQL Injection is a type of attack where the application does not return data...
PT-2026-50549
Name of the Vulnerable Software and Affected Versions AWS Bedrock AgentCore Python SDK versions 1.1.3 through 1.6.0 Description Improper neutralization of argument delimiters in the install packages method of the Code Interpreter client allows a remote authenticated user to execute arbitrary...
RockyLinux 8 : hplip (RLSA-2026:26335)
The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:26335 advisory. HPLIP: HPLIP: Privilege escalation and arbitrary code execution via operating system command injection CVE-2026-8632 HPLIP: HPLIP: Arbitrary code...
PT-2026-50594
Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrust...
PT-2026-50502
Name of the Vulnerable Software and Affected Versions Splunk AI Toolkit versions prior to 5.7.4 Description A user with the "admin" Splunk role can execute arbitrary OS commands on the host running the Splunk Enterprise instance. This is caused by an unsafe shell execution pattern in the btool...
PT-2026-50492
Pi loads project-local extensions without approval Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript...
PT-2026-50484
Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...
PT-2026-50487
Summary Open WebUI's prompt version-history endpoints authorize the prompt id in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt history entry.prompt id == prompt.id. Three operations are affected: - GET /api/v1/prompts/id/prompt...
PT-2026-50479
Summary The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthoriz...
PT-2026-50463
Dell PowerFlex Manager, versions Versions, contains an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure...
PT-2026-50447
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 default Supervised security policy can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: 1 is args safe block...
PT-2026-50446
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from n/a through 1.4.109...
PT-2026-50482
Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary file id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has access to file treats the victim file as accessibl...
RHEL 9 : dracut (RHSA-2026:26533)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:26533 advisory. The dracut packages contain an event-driven initial RAM file system initramfs generator infrastructure based on the udev device manager. The virtual...
Fedora 44 : tig (2026-5cb64cc909)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-5cb64cc909 advisory. Fix editor command injection vulnerability only affectsversion 2.6.0. 1432 https://github.com/jonas/tig/issues/1432 Tenable has extracted the preceding...
RHEL 8 : 389-ds:1.4 (RHSA-2026:26460)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:26460 advisory. 389 Directory Server is an LDAP version 3 LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol LDAP server a...
RockyLinux 9 : hplip (RLSA-2026:26297)
The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:26297 advisory. HPLIP: HPLIP: Privilege escalation and arbitrary code execution via operating system command injection CVE-2026-8632 HPLIP: HPLIP: Arbitrary code...
RHEL 8 : 389-ds:1.4 (RHSA-2026:26459)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:26459 advisory. 389 Directory Server is an LDAP version 3 LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol LDAP server a...