PT-2026-46391

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination wit...

PT-2026-46409

A security flaw has been discovered in projectworlds Online Art Gallery Shop Project 1.0. The impacted element is an unknown function of the file /admin/adminHome.ph. The manipulation of the argument social twitter results in sql injection. The attack may be launched remotely. The exploit has bee...

PT-2026-46856

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

PT-2026-46865

Unauthenticated Reflected XSS via $ GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

PT-2026-46842

AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler Summary AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from $msg'json' with higher priorit...

PT-2026-46852

Summary A low-privilege admin user with user recovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...

PT-2026-46788

Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

PT-2026-46602

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 149.0.7827.53 Description A use after free issue in WebRTC allows a remote attacker to execute arbitrary code through a specially crafted HTML page. Use after free is a memory corruption flaw that occur...

PT-2026-46814

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description Insufficient policy enforcement in Navigation allows a remote attacker who has compromised the renderer process to bypass navigation restrictions using a crafted HTML page...

PT-2026-46580

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 149.0.7827.53 Description An out of bounds read in ANGLE allows a remote attacker to obtain potentially sensitive information from process memory by using a crafted HTML page. An out of bounds read occu...

PT-2026-46479

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 149.0.7827.53 Description Insufficient policy enforcement in the Autofill feature allows a remote attacker to leak cross-origin data, which is data from a different origin than the one that initiated the...

PT-2026-46513

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description An inappropriate implementation in the Accessibility component allows a remote attacker to perform UI spoofing via a crafted HTML page. UI spoofing is a technique where an...

PT-2026-46490

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 149.0.7827.53 Description A use after free issue exists where a remote attacker who has compromised the renderer process can potentially perform a sandbox escape by using a crafted HTML page. Use after fr...

PT-2026-46444

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 149.0.7827.53 Description A use after free issue in Core allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape by using a crafted HTML page. Use after...

PT-2026-46425

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 149.0.7827.53 Description A use after free issue allows a remote attacker to execute arbitrary code through a crafted HTML page. Use after free occurs when an application continues to use a pointer after ...

PT-2026-46741

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description An inappropriate implementation in Cronet allows a remote attacker to perform domain spoofing by using a crafted domain name. Recommendations Update to version 149.0.7827.53 ...

PT-2026-46259

Name of the Vulnerable Software and Affected Versions Tautulli versions prior to 2.17.1 Description Tautulli contains a Server-Side Request Forgery SSRF issue where a public endpoint '/image/' resolves entries from image hash lookup and processes them using the same server-side image fetch logic ...

PT-2026-46339

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46328

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46348

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46337

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46373

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46378

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46375

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46368

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46859

Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...

PT-2026-46300

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.32.0 Axios versions prior to 1.16.0 Description The Node.js HTTP adapter in Axios can leak proxy credentials to a redirect target. When a request is sent through an authenticated proxy, the Proxy-Authorization header ...

PT-2026-46870

Impact The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed. For exampl...

PT-2026-46356

Unauthenticated Local File Inclusion in Putter = 1.17 versions...

PT-2026-46358

Unauthenticated Local File Inclusion in Top Dog = 1.0.5 versions...

PT-2026-46372

Unauthenticated Local File Inclusion in Spike = 1.2 versions...

PT-2026-46322

Unauthenticated Local File Inclusion in Modernee = 1.6.0 versions...

PT-2026-46340

Unauthenticated Local File Inclusion in Especio = 1.0 versions...

PT-2026-46331

Unauthenticated Local File Inclusion in MaxiNet = 1.2.10 versions...

PT-2026-46352

Unauthenticated Local File Inclusion in Mission = 1.22 versions...

PT-2026-46350

Unauthenticated Local File Inclusion in Kelly Young = 1.1.0 versions...

PT-2026-46338

Unauthenticated Local File Inclusion in Deliciosa = 1.10.0 versions...

PT-2026-46181

Name of the Vulnerable Software and Affected Versions WP eMember versions prior to 10.2.3 Description An issue in the software allows the retrieval of embedded sensitive system information by an unauthorized control sphere. Recommendations Update to a version later than 10.2.2...

PT-2026-46572

Name of the Vulnerable Software and Affected Versions Google Chrome on Mac versions prior to 149.0.7827.53 Description An out of bounds write occurs in ANGLE, which is a compatibility layer that allows OpenGL ES calls to be translated to other graphics APIs. This issue allows a remote attacker wh...

PT-2026-46817

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description An integer overflow in WebView allows a local attacker to cause a denial of service by using a malicious file. An integer overflow occurs when an arithmetic operation attempt...

PT-2026-46057

Name of the Vulnerable Software and Affected Versions libxls versions prior to 1.6.4 Description The OLE container parser contains an issue where memory allocated for the Master Sector Allocation Table MSAT in the read MSAT function is not fully initialized before being used by the ole2 validate...

PT-2026-45996

Mercusys AC12G EU V1 router with firmware AC12GEU V1 200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP 192.168.1.1 or localhost 127.0.0.1 as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the...

PT-2026-45891

Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41 Description Type confusion occurs when dupkeys as arrayref is enabled, allowing duplicate object keys to cause a crash. The decode hv function collapses duplicate keys into an array reference; however, i...

PT-2026-45889

A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit...

PT-2026-45892

Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41 Description An issue exists where providing input prefixed with a UTF-8 Byte Order Mark BOM can lead to a denial of service. When the decode json function processes a 3-byte UTF-8 BOM, it advances the...

PT-2026-45902

Name of the Vulnerable Software and Affected Versions FreeIPMI versions prior to 1.16.18 Description The ipmi-oem client command, which implements Intelligent Platform Management Interface IPMI OEM commands for specific hardware vendors, contains buffer overflows on response messages. This issue...

PT-2026-45904

Patch Priority: Sitefinity Credential Exposure with likely internet exposure CVSS 9.8-10.0 Affected: Progress Sitefinity; OpenMed; Spacelabs Sentinel; Masteriyo LMS PRO; Kirki Internet-facing risks dominate, led by Sitefinity and multiple pre-auth remote code execution and privilege escalation...

PT-2026-45918

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

PT-2026-46045

Name of the Vulnerable Software and Affected Versions OP-TEE versions prior to 4.11.0 Description OP-TEE is a Trusted Execution Environment designed as a companion to a non-secure Linux kernel running on Arm Cortex-A cores using TrustZone technology. In several ECDH shared secret paths, the publi...

PT-2026-46050

Name of the Vulnerable Software and Affected Versions Securly Chrome Extension version 3.0.7 Description Multiple publicly accessible endpoints allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes a cryptographic hash function that produces a 160-bit...