CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

PT-2026-40978

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2016 affected versions not specified Microsoft Exchange Server 2019 affected versions not specified Microsoft Exchange Server Subscription Edition affected versions not specified Description An issue exists in the...

PT-2026-28440

Name of the Vulnerable Software and Affected Versions BUFFALO Wi-Fi router products affected versions not specified Description A code injection issue exists in BUFFALO Wi-Fi router products. Successful exploitation of this issue could allow for the execution of arbitrary code on affected devices...

PT-2026-28294

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description The software is susceptible to a weak password policy, which simplifies unauthorized access to user accounts by enabling attackers to guess passwords or employ brute-force methods...

PT-2026-7015

Name of the Vulnerable Software and Affected Versions Great Developers Certificate Generation System affected versions not specified Description A security issue exists in Great Developers Certificate Generation System. The issue involves unrestricted upload due to manipulation of the file...

PT-2026-6780

Name of the Vulnerable Software and Affected Versions Tanium Client affected versions not specified Description Tanium Client is subject to a denial of service condition. The vulnerability allows for a denial of service. Recommendations At the moment, there is no information about a newer version...

PT-2026-6619

Name of the Vulnerable Software and Affected Versions Tanium Threat Response affected versions not specified Description Tanium Threat Response contains an information disclosure issue. The vulnerability allows for the potential exposure of information. Recommendations At the moment, there is no...

PT-2026-6604

Name of the Vulnerable Software and Affected Versions Tanium Interact affected versions not specified Description Tanium Interact was found to have improper access controls. This allows unauthorized access to resources. Recommendations At the moment, there is no information about a newer version...

PT-2026-6624

Name of the Vulnerable Software and Affected Versions Tanium Discover affected versions not specified Description Tanium Discover was found to have an incorrect default permissions setting. This could potentially allow unauthorized access or modification of data. Recommendations At the moment,...

PT-2026-2206

Name of the Vulnerable Software and Affected Versions Versions affected versions not specified Description An attacker with a network connection could detect credentials in clear text. Recommendations At the moment, there is no information about a newer version that contains a fix for this...

PT-2025-53860

Name of the Vulnerable Software and Affected Versions DVP-12SE11T affected versions not specified Description The issue is an out-of-bounds memory write affecting the DVP-12SE11T device. Exploitation may allow a remote attacker to disclose protected information and cause a denial of service. Some...

PT-2025-53162

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s MPTCP implementation. Specifically, a NULL pointer dereference can occur on fastopen early fallback. This happens when the system falls back to TCP...

PT-2025-52843

Name of the Vulnerable Software and Affected Versions NVIDIA Isaac Launchable affected versions not specified Description NVIDIA Isaac Launchable contains a flaw due to a hard-coded credential. Exploitation of this issue could allow an attacker to execute code, escalate privileges, cause a denial...

PT-2025-47166

Name of the Vulnerable Software and Affected Versions Digi On-Prem Manager affected versions not specified Description An injection flaw exists in the API feature of Digi On-Prem Manager. An attacker with valid API tokens can inject SQL code via crafted input. The API is not enabled by default. T...

PT-2025-46459

Name of the Vulnerable Software and Affected Versions Windows Speech affected versions not specified Description An issue exists where sensitive information is inserted into sent data within Windows Speech. This could allow an authorized attacker to disclose information locally. Recommendations A...

PT-2025-46585

Name of the Vulnerable Software and Affected Versions rust-sudo-rs affected versions not specified Description A security update is available. The package rust-sudo-rs in Debian is affected by vulnerabilities. Recommendations At the moment, there is no information about a newer version that...

PT-2025-45377

Name of the Vulnerable Software and Affected Versions Rubygem MQTT affected versions not specified Description The Rubygem MQTT package did not have hostname validation enabled by default, which could allow for a Man-in-the-Middle MITM attack. This means a malicious actor could potentially...

PT-2025-44397

Name of the Vulnerable Software and Affected Versions tftpsync affected versions not specified Description A path traversal flaw exists in the tftpsync/add and tftpsync/delete scripts. A remote attacker on an adjacent network can potentially write or delete files on the filesystem with the...

PT-2025-43927

Name of the Vulnerable Software and Affected Versions affected versions not specified Description An attacker may cause chunk-size mismatches that block file transfers and prevent subsequent transfers. This can potentially disrupt file transfer operations. Recommendations At the moment, there is ...

PT-2025-43924

Name of the Vulnerable Software and Affected Versions versions prior to 2025 Description The system is deployed in its default state, with configuration settings that do not comply with the latest best practices for restricting access, increasing the risk of unauthorised connections...