184497 matches found
PT-2026-37951
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitab...
PT-2026-37631
HCL BigFix Service Management SM application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared...
PT-2026-37936
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability...
PT-2026-38487
Summary Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release: 1. String-literal tokenization on certain unterminated quoted-string input. 2...
PT-2026-38225
Name of the Vulnerable Software and Affected Versions PicoTronica e-Clinic Healthcare System ECHS version 5.7 Description An issue in the Response Header Handler component within the file '/cdemos/echs/api/v2/' allows for remote information disclosure. Recommendations Upgrade to version 5.7.1...
PT-2026-36966
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr update form action meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with ...
PT-2026-37284
Name of the Vulnerable Software and Affected Versions Open edx Enterprise Service versions 7.0.2 through 7.0.4 Description An authenticated user with the Enterprise Admin role can trigger a server-side HTTP request. By using the 'SAMLProviderConfigViewSet' PATCH endpoint, a user can set the...
PT-2026-46983
Name of the Vulnerable Software and Affected Versions Arista EOS affected versions not specified Description On platforms running Arista EOS with tunnel decapsulation configurations—such as VXLAN Virtual Extensible LAN, decap-groups, or GRE Generic Routing Encapsulation tunnel interfaces—the swit...
PT-2026-37367
These are all security issues fixed in the icinga-php-library-0.19.2-1.1 package on the GA media of openSUSE Tumbleweed...
PT-2026-38212
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Insufficient policy enforcement in WebApp allows a remote attacker to perform UI spoofing, which is the act of mimicking a legitimate user interface to deceive users, via a crafted HTML...
PT-2026-37045
The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
PT-2026-36912
Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender HW V2.1 FW LFMZX28040922V1.02 Description An OS command injection issue exists in the 'makeRequest.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the s...
PT-2026-36754
Name of the Vulnerable Software and Affected Versions PrefectHQ prefect versions prior to 3.6.28.dev2 Description A time-of-check time-of-use TOCTOU issue exists in the validate restricted url function of the Webhook/Notification component. This flaw allows a remote attacker to manipulate the...
PT-2026-37106
Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0 Description Gotenberg fails to properly validate metadata tags passed to ExifTool, a tool used for reading and writing image, audio, and video metadata. While the software blocks specific tags like FileName a...
PT-2026-36599
Name of the Vulnerable Software and Affected Versions CTMS affected versions not specified CPAS affected versions not specified Description CTMS and CPAS developed by Sunnet contain an arbitrary file upload flaw. This allows privileged remote attackers to upload and execute web shell backdoors,...
PT-2026-36393
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free error exists in the usbtmc release function. This occurs because pending anchored URBs USB Request Blocks are not properly flushed or killed, which can lead to memory...
PT-2026-37139
Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The 'ecard preview.php' endpoint fails to validate that the ecard template POST parameter is a safe filename before it is processed by the getEcardTemplate function. An authenticated user can exploit...
PT-2026-35824
A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improp...
PT-2026-35542
A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be...
PT-2026-35370
Name of the Vulnerable Software and Affected Versions Apache Camel versions 3.0.0 through 4.14.5 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.x Description Certain non-HTTP HeaderFilterStrategy implementations, specifically JmsHeaderFilterStrategy and...
PT-2026-35018
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup extent data ref After commit 1618aa3c2e01 "btrfs: simplify return variables in lookup extent data ref", the err and ret variables were merged into a single ret...
PT-2026-34948
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the OCFS2 file system where the ocfs2 group extend function assumes that the global bitmap inode block returned from ocfs2 inode lock is already validated. In crafted...
PT-2026-34946
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A duplicate resource teardown occurs in the PCI endpoint pci-epf-vntb. The function epf ntb epc destroy performs a teardown that the caller is already expected to execute. This redundanc...
PT-2026-34660
Name of the Vulnerable Software and Affected Versions FunnelFormsPro versions n/a through 3.8.1 Description Improper Control of Generation of Code allows Remote Code Inclusion, which enables an attacker to inject and execute arbitrary code. Recommendations At the moment, there is no information...
PT-2026-34047
Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.16 Description An issue exists in the Custom Scripts Handler component that allows for cross site scripting. This flaw enables remote exploitation through the manipulation of an unknown functionality within the...
PT-2026-46937
Name of the Vulnerable Software and Affected Versions X.Org X server affected versions not specified Xwayland affected versions not specified Description A use-after-free flaw exists in the miSyncDestroyFence function. This occurs when a client sets up multiple fence triggers, allowing a function...
PT-2026-36836
Name of the Vulnerable Software and Affected Versions D-Link DIR-600L Hardware Revision A1 Description A hardcoded telnet backdoor exists in the device. At boot, the device starts a telnet daemon via the /bin/telnetd.sh script using the username "Alphanetworks" and a static password "wrgn35 dlwbr...
PT-2026-33415
Name of the Vulnerable Software and Affected Versions Canto plugin for WordPress versions prior to 3.1.2 Description Missing authorization occurs due to the absence of capability checks or nonce verification in the updateOptions function. This function is exposed via two AJAX hooks: 'wp ajax...
PT-2026-32279
Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality...
PT-2026-31102
Name of the Vulnerable Software and Affected Versions Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress versions up to and including 2.1.7 Description The Masteriyo LMS plugin is affected by an authorization bypass issue. Insufficient webhook signature...
PT-2026-31292
Name of the Vulnerable Software and Affected Versions The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress versions up to and including 5.1.2 Description The User Registration ...
PT-2026-29602
Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description AIOHTTP, an asynchronous HTTP client/server framework, is susceptible to excessive memory usage due to an unbounded DNS cache. This can potentially lead to a Denial of Service DoS situation if an...
PT-2026-28610
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.63 Parse Server versions prior to 9.7.0-alpha.7 Description The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attack...
PT-2026-26466
The Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary...
PT-2026-24729
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges and gain full administrative control of an affected device. This vulnerability is due to incorrect mapping of a command to task groups...
PT-2026-24776
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. Attackers can upload PHP files with traversal payloads ../public html/ to write executable code...
PT-2026-23789
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build customized large language model flows. A critical Insecure Direct Object Reference IDOR vulnerability, combined with a Business Logic Flaw, exists in...
PT-2026-22722
Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP all versions allows a remote...
PT-2026-22214
Name of the Vulnerable Software and Affected Versions Phishing Club versions prior to 1.30.2 Description Phishing Club is a phishing simulation and man-in-the-middle framework. An authenticated SQL injection issue exists in the GetOrphaned recipient listing endpoint. The endpoint builds a SQL que...
PT-2026-20256
Old vuln, new life: React2Shell CVE-2025-55812 is seeing a surge in active exploitation with reverse shells + cryptominers. If your patching is based on CVSS instead of real-world activity, you’re already behind. https://t.co/2hEOe08JVG CyberSecurity ThreatIntel PatchNow...
PT-2026-20251
Name of the Vulnerable Software and Affected Versions IBM Security QRadar EDR versions 3.12 through 3.12.23 Description IBM Security QRadar EDR does not invalidate sessions after they expire. This could allow an authenticated user to impersonate another user on the system. Recommendations Update...
PT-2026-8047
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk save' AJAX action. This makes it possible for...
PT-2026-7312
Name of the Vulnerable Software and Affected Versions IntelR NPU Drivers affected versions not specified Description An improper conditions check in some firmware for IntelR NPU Drivers within Ring 1 may allow a denial of service. An unprivileged software adversary with an authenticated user and ...
PT-2026-6963
Name of the Vulnerable Software and Affected Versions Tenda TX3 versions up to 16.03.13.11 multi Description A flaw exists in Tenda TX3 that allows remote attackers to trigger a buffer overflow. The issue is located in the file /goform/SetIpMacBind and involves manipulation of the argument list t...
PT-2026-6891
Name of the Vulnerable Software and Affected Versions Video Onclick plugin for WordPress versions prior to 0.4.8 Description The Video Onclick plugin for WordPress is susceptible to Stored Cross-Site Scripting through the youtube shortcode. This is due to inadequate input sanitization and output...
PT-2026-6715
Name of the Vulnerable Software and Affected Versions itsourcecode Student Management System version 1.0 Description A security flaw exists in itsourcecode Student Management System 1.0. The issue involves a SQL injection affecting an unknown function within the file /ramonsys/billing/index.php...
PT-2026-5868
Name of the Vulnerable Software and Affected Versions IBM Concert versions 1.0.0 through 2.1.0 Description IBM Concert is susceptible to HTTP header injection due to inadequate validation of the HOST headers. This issue could enable an attacker to perform various attacks against the system,...
PT-2026-6274
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0 Description An Open Redirect issue exists in Qwik City’s default request handler middleware. This allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation could allow...
PT-2026-4012
Name of the Vulnerable Software and Affected Versions merkulove Crumber versions through 1.0.10 Description An authorization issue exists in merkulove Crumber crumber-elementor due to incorrectly configured access control security levels. This allows for exploitation of the system. Recommendation...
PT-2026-3143
Name of the Vulnerable Software and Affected Versions Altium Workflow Engine affected versions not specified Description A stored cross-site scripting XSS issue exists because of insufficient server-side input sanitization within workflow form submission APIs. An authenticated user can inject...