EUVD-2026-33603

A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly...

PT-2026-36570

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the...

EUVD-2026-24243

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may...

GHSA-X3F9-VCP2-HGCW Bagisto affected by Server-Side Request Forgery

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted...

Bagisto affected by Cross-site Scripting

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may...

CVE-2026-5999

A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor...

PT-2026-31856

Name of the Vulnerable Software and Affected Versions JeecgBoot versions up to 3.9.1 Description A flaw exists in JeecgBoot, specifically within the SysAnnouncementController component. This issue results in improper authorization, potentially allowing for remote manipulation. The exploit has bee...

CVE-2026-2355

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

CVE-2026-2355

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

PT-2026-22900

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the my calendar upcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at Ontario Tech University in Oshawa, Ontario, Canada, at 2 PM ET on Thursday, February 26, 2026. I’m speaking at the Personal AI Summit in Los Angeles, California, USA, on Thursday, March 5, 2026. I’m speaking at Tech...

PT-2026-4690

In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4693

In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4707

Name of the Vulnerable Software and Affected Versions ManagedServices affected versions not specified Description An issue exists in the setPackageOrComponentEnabled function of ManagedServices.java related to improper input validation. This can result in a notification policy desync, potentially...

PT-2026-4706

Look at the security patch preview section of https://t.co/ySklSke3uy. These are from the upcoming patch levels: Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044 High: CVE-2025-22424, CVE-2025-22426, CVE-2025-32348, CVE-2025-48561, CVE-2025-48615,...

PT-2026-4704

In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

PT-2026-4701

Name of the Vulnerable Software and Affected Versions versions prior to 2026-0021 Description A cross-user permission bypass exists due to a confused deputy condition in the hasInteractAcrossUsersFullPermission function within the AppInfoBase.java file. This could allow for local escalation of...

PT-2026-4698

In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4692

In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4715

In multiple functions of ubsan throwing runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...