PT-2026-49297

Bludit CMS before version 3.18.4 allows Remote Code Execution RCE via the API Plugin. The POST /api/files/key endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and...

RHEL 9 : gimp (RHSA-2026:25899)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:25899 advisory. The GIMP GNU Image Manipulation Program is an image composition and editing program. GIMP provides a large image manipulation toolbox,...

RHEL 9 : gimp (RHSA-2026:25907)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:25907 advisory. The GIMP GNU Image Manipulation Program is an image composition and editing program. GIMP provides a large image manipulation toolbox,...

PT-2026-49313

Name of the Vulnerable Software and Affected Versions fossar selfoss version 2.20-SNAPSHOT Description An issue in the loopback request handling component allows attackers to execute arbitrary commands and obtain sensitive information by supplying a crafted HTTP request. Recommendations At the...

CVE-2026-50872

The CVE-2026-50872 entry affects fossar selfoss v2.20-SNAPSHOT, with a vulnerability in the loopback request handling component that could allow arbitrary command execution and leakage of sensitive data via a crafted HTTP request. The issue is described across multiple sources (NVD/ENISA/CVE list...

CVE-2026-50883

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload...

PT-2026-49218

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp...

PT-2026-49533

Name of the Vulnerable Software and Affected Versions grpc versions 0.4.0 through 0.9.x Description Deserialization of untrusted data and allocation of resources without limits or throttling allow unauthenticated attackers to crash the BEAM node or achieve remote code execution on the server. The...

PT-2026-49213

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the...

PT-2026-49223

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the uplo...

CVE-2026-39006

An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component...

PT-2026-49471

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.13.0 Description The template engine utilizes a single shared text/template.Template instance, specifically the tpl package-level variable in service/internal/tpl/templates.go, across all goroutines. Each action...

CVE-2026-50880

CVE-2026-50880 affects YouTransfer v1.0.6, specifically the sendmail transport integration component. The issue allows an attacker to execute arbitrary code by sending a crafted request. The cybersecurity metadata indicates a critical impact (CVSS 3.1: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). C...

PT-2026-49474

Name of the Vulnerable Software and Affected Versions Easy Invoice versions prior to 2.1.20 Description An unauthenticated Remote Code Execution RCE flaw allows an attacker to execute arbitrary code on the system without requiring login credentials. Recommendations Update to a version newer than...

PT-2026-49375

Editor Remote Code Execution RCE in Responsive Slider by MetaSlider = 3.106.0 versions...

CVE-2026-50880

An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request...

CVE-2026-39006

CVE-2026-39006 concerns SNMP4J-Agent 3.8.3 where a remote attacker can execute arbitrary code via the snmp4jCfgStoragePath component. Documented impact is critical (CVSS v3.1: 9.8) with network discovery and no user interaction required; exploitation status is not provided in the supplied sources...

PT-2026-49309

Discuz! X5.0 releases 20260320 through 20260501 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigg...

PT-2026-49281

Name of the Vulnerable Software and Affected Versions OpenCPN version 5.12.0 Description A code injection issue exists in the wxExecute function, which allows attackers to execute arbitrary code by embedding shell metacharacters. Shell metacharacters are special characters interpreted by the...

PT-2026-49203

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14...