PT-2026-37927

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: ImageIO. Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated...

PT-2026-37660

Name of the Vulnerable Software and Affected Versions react-server-dom-webpack versions 19.0.0 through 19.0.5 react-server-dom-webpack versions 19.1.0 through 19.1.6 react-server-dom-webpack versions 19.2.0 through 19.2.5 react-server-dom-parcel versions 19.0.0 through 19.0.5...

PT-2026-38306

Name of the Vulnerable Software and Affected Versions Daptin versions prior to 0.11.5 Description An issue exists in the processFuzzySearch function within server/resource/resource findallpaginated.go where the software fails to validate the column parameter against a whitelist. When using the 'G...

PT-2026-38267

A reflected XSS vulnerability was found under admin panel - System - Import/Export - Dataflow - Profiles. Steps to produce + Login to the admin panel + Go to the path System - Import/Export - Dataflow - Profiles + Select profile direction as Import. + Click on Import Customers + Upload the file...

PT-2026-37299

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description An authorization gap exists in the PayPalYPT plugin where the endpoint 'plugin/PayPalYPT/agreementCancel.json.php' cancels a PayPal billing agreement using an attacker-supplied agreement parameter...

PT-2026-37291

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists where the endpoint 'plugin/MobileManager/oauth2.php' completes an OAuth login by redirecting the user to 'oauth2Success.php' via an HTTP 302 response. This redirect includes the user's...

PT-2026-40721

Name of the Vulnerable Software and Affected Versions Prometheus versions 2.49.0 through 3.5.2 Prometheus versions 3.11.0 through 3.11.2 Description In the legacy web UI, which is enabled via the --enable-feature=old-ui command-line flag, the histogram heatmap chart view fails to escape label...

PT-2026-37106

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0 Description Gotenberg fails to properly validate metadata tags passed to ExifTool, a tool used for reading and writing image, audio, and video metadata. While the software blocks specific tags like FileName a...

PT-2026-37204

Name of the Vulnerable Software and Affected Versions AzuraCast versions prior to 0.23.6 Description An issue exists in the Flow.js media upload endpoint 'POST /api/station/station id/files/upload' where the currentDirectory request parameter is not sanitized for path traversal sequences. When...

PT-2026-36599

Name of the Vulnerable Software and Affected Versions CTMS affected versions not specified CPAS affected versions not specified Description CTMS and CPAS developed by Sunnet contain an arbitrary file upload flaw. This allows privileged remote attackers to upload and execute web shell backdoors,...

PT-2026-36111

Name of the Vulnerable Software and Affected Versions pygeoapi versions 0.23.0 through 0.23.2 Description A raw string path concatenation issue in the STAC FileSystemProvider plugin allows requests to STAC collection based collections to expose directories without authentication. This occurs when...

PT-2026-35704

Name of the Vulnerable Software and Affected Versions Apache Thrift versions prior to 0.23.0 Description Uncontrolled Recursion occurs in the Node.js bindings of Apache Thrift. Uncontrolled recursion is a condition where a function calls itself without a proper termination condition, potentially...

PT-2026-35816

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0 Description Langflow is a tool for building and deploying AI-powered agents and workflows. A path traversal flaw exists in the Knowledge Bases API endpoint "DELETE /api/v1/knowledge bases" within the delete...

PT-2026-34329

Name of the Vulnerable Software and Affected Versions camel-infinispan affected versions not specified Description Unsafe deserialization exists in the ProtoStream remote aggregation repository. A remote attacker with low privileges can send specially crafted data to achieve arbitrary code...

PT-2026-34356

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the ext4 read inline folio function where the use of BUG ON when inline data size exceeds PAGE SIZE can lead to a kernel panic. The fix replaces this with proper error...

PT-2026-34613

Name of the Vulnerable Software and Affected Versions Nuclei versions 3.0.0 through 3.7.9 Description A flaw in the JavaScript protocol runtime's module loading system allows JavaScript templates to read local .js and .json files from the host filesystem. This occurs because the require function...

PT-2026-34001

Name of the Vulnerable Software and Affected Versions Tekton Pipelines versions 0.43.0 through 1.11.0 Description Trusted resources verification policies match a resource source string refSource.URI against spec.resources.pattern using the regexp.MatchString function. Because this function report...

PT-2026-31425

Name of the Vulnerable Software and Affected Versions LORIS versions 16.1.0 through 27.0.2 and 28.0.0 Description The LORIS application, used for data and project management in neuroimaging research, had a flaw where backend access checks were missing for files. This allowed unauthorized access t...

PT-2026-29371

Name of the Vulnerable Software and Affected Versions Nuxt OG Image versions prior to 6.2.5 Description The Nuxt OG Image package contains a flaw in the image-generation component accessible via the API endpoint / og/d/ and /og-image/ in older versions. This issue allows for the injection of...

PT-2026-28374

Name of the Vulnerable Software and Affected Versions SolarWinds Observability Self-Hosted affected versions not specified Description The software is subject to a stored cross-site scripting issue. Successful exploitation may result in unintended script execution. The impact is limited by a...

PT-2026-28574

Name of the Vulnerable Software and Affected Versions Happy DOM versions 15.10.0 through 20.8.7 Description Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions 15.10.0 through 20.8.7 contain a code injection issue in the ECMAScriptModuleCompile...

PT-2026-27174

An arbitrary file-write vulnerability in Pega Browser Extension PBE affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This vulnerability does not affect Robot Runtime users. A bad actor could create a website that includes...

PT-2026-26231

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist...

PT-2026-25730

Name of the Vulnerable Software and Affected Versions ZKTeco ZKAccess Security System version 5.3.1 Description The ZKAccess Security System is susceptible to a stored cross-site scripting issue. This allows attackers to inject malicious payloads through the holiday name and memo POST parameters...

PT-2026-41180

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description A flaw in the chat completion API allows users to bypass tool restrictions, potentially leading to unauthorized actions or access. In the '/api/chat/completions' endpoint, the tool ids and tool...

PT-2026-22107

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.8.0 Description Langflow, a tool for building and deploying AI-powered agents and workflows, contains a flaw in the CSV Agent node. Prior to version 1.8.0, the allow dangerous code parameter is hardcoded to True,...

PT-2026-21546

Name of the Vulnerable Software and Affected Versions Astro versions prior to 9.5.4 Description Astro, a web framework, is affected by a Server-Side Request Forgery SSRF issue in versions prior to 9.5.4. Server-Side Rendered pages returning an error with a prerendered custom error page such as...

PT-2026-20421

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter parameters e.g., 'filter first name' in all versions up to, and including, 2.11.1 due to...

PT-2026-20263

Name of the Vulnerable Software and Affected Versions Netgate pfSense CE version 2.8.0 Description Code execution is possible in the XMLRPC API through the pfsense.exec php function. This functionality is available to administrators, who are intentionally permitted to execute PHP code...

PT-2026-20303

Name of the Vulnerable Software and Affected Versions Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 Description Dell RecoverPoint for Virtual Machines contains a critical vulnerability CVE-2026-22769 due to hardcoded credentials. This allows unauthenticated remote attackers...

PT-2026-7658

Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1 MSHTML affected versions not specified Description An OS command injection issue exists in XWEB Pro, allowing a user with network access to execute code remotely by injecting malicious input into the request...

PT-2026-7383

InDesign Desktop versions 21.1, 20.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that...

PT-2026-4321

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator discord user mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and...

PT-2026-3636

Name of the Vulnerable Software and Affected Versions ipTIME routers A2003NS-MU versions 10.00.6 through 12.16.2 ipTIME routers N600 versions 10.00.8 through 12.16.2 ipTIME routers A604-V3 versions 10.01.6 through 10.07.2 ipTIME routers A6ns-M versions 10.01.6 through 14.19.4 ipTIME routers V508...

PT-2026-2701

Name of the Vulnerable Software and Affected Versions Windows Server Update Service affected versions not specified Description A flaw in input validation within Windows Server Update Service could allow a remote attacker to execute code on the network. This could lead to arbitrary code execution...

PT-2026-2545

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.114 Description The Linux kernel contains a flaw within the IPv4 code path in the ip vs get out rt function. This function can call dst link failure without verifying that skb-dev is set, leading to a NULL...

PT-2026-1014

Name of the Vulnerable Software and Affected Versions code-projects Online Guitar Store version 1.0 Description A SQL injection issue exists in code-projects Online Guitar Store version 1.0. The issue is located in an unknown function within the /admin/Create product.php file. Manipulating the dr...

PT-2026-5077

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 147.0.1 Thunderbird versions prior to 140.7.1 Description A flaw exists that could allow for CSS-based exfiltration of content from partially encrypted emails when remote content is permitted. This could potential...

PT-2025-53620

CVE-2025-14715 - CVE-2008-4251: Adobe Flash Player Unvalidated Redirects CVE ID : CVE-2025-14715 Published : Dec. 25, 2025, 11:15 p.m. | 2 hours, 10 minutes ago Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Severity: 0.0 | NA Visit the...

PT-2025-52929

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.0 1 Description The Linux kernel contained an issue where the convert context function, called within a critical section, could potentially cause a process to sleep while allocating memory using GFP KERNEL...

PT-2025-53142

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak issue was resolved in the Linux kernel related to the st of quadfs setup function. Specifically, if the st clk register quadfs pll function fails, the @lock resource was no...

PT-2025-53343

Name of the Vulnerable Software and Affected Versions LogicalDOC Enterprise version 7.7.4 Description The software contains multiple authenticated operating system command execution flaws. These flaws permit attackers to manipulate binary paths when altering system settings. Exploitation involves...

PT-2025-53221

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw in the drm/amdkfd subsystem. A kernel warning can occur during topology setup due to incorrect initialization of the p2plink attribute before creating th...

PT-2025-52213

Name of the Vulnerable Software and Affected Versions 1C-Bitrix versions prior to 25.100.501 Description The software contains a remote code execution issue within the Translate Module. The application does not properly validate the contents of archive files before unpacking them, allowing...

PT-2025-51607

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel's imon driver contains issues that can lead to hung tasks due to indefinitely holding a device lock. Specifically, the usb rx callback intf0 function can repeatedly...

PT-2025-49879

Cross-Site Request Forgery CSRF vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through = 10.30.3...

PT-2025-49123

A vulnerability has been identified in Genexis Platinum P4410 router Firmware P4410-V2–1.41 that allows a local network attacker to achieve Remote Code Execution RCE with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs...

PT-2025-47041

Name of the Vulnerable Software and Affected Versions All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic versions prior to 4.8.10 Description The All in One SEO plugin for WordPress has a flaw that allows unauthorized deletion of media attachments. The issue stems from ...

PT-2025-46939

Name of the Vulnerable Software and Affected Versions IQ-Support affected versions not specified Description IQ-Support, developed by IQ Service International, has an Arbitrary File Read issue. Unauthenticated remote attackers can exploit Relative Path Traversal to download arbitrary system files...

PT-2025-46717

Name of the Vulnerable Software and Affected Versions DinukaNavaratna Dee Store version 1.0 Description A flaw exists in DinukaNavaratna Dee Store version 1.0 that can lead to missing authorization due to manipulation. The issue is present in an unknown function and can be exploited remotely. The...