PT-2026-38284

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.6 Description An authorization bypass exists in the reset user password and gym permissions user edit views. The system performs a gym-scope authorization check using a Python object comparison that evaluates None !=...

PT-2026-37118

Name of the Vulnerable Software and Affected Versions Dagster Core versions prior to 1.13.1 Dagster libraries versions prior to 0.29.1 Description DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers construct SQL WHERE clauses by interpolating dynamic partition key values into queries without...

PT-2026-20230

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic with federated objects...

PT-2026-1449

Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec...

PT-2026-1043

Name of the Vulnerable Software and Affected Versions Yonyou KSOA version 9.0 Description A SQL injection issue exists in Yonyou KSOA 9.0 due to manipulation of the ID argument within the HTTP GET parameter handler of the /worksheet/agent worksdel.jsp file. Remote exploitation is possible. The...

PT-2025-39542

Name of the Vulnerable Software and Affected Versions Stackable versions through 3.18.1 Description A flaw exists in Benjamin Intal Stackable that allows retrieval of embedded sensitive data due to insertion of sensitive information into sent data. Recommendations Update Stackable to a version...

PT-2025-28914 · Jenkins · Jenkins Ifttt Build Notifier Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins IFTTT Build Notifier Plugin versions 1.2 and earlier Description: The Jenkins IFTTT Build Notifier Plugin stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users...

PT-2025-10000

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.9.0 Description The issue arises from the web crawling plug-in's failure to perform intranet IP verification. This allows an attacker to initiate an intranet IP request, causing the system to make a request through...

PT-2025-12: Deserialization of Untrusted Data in HTML2PDF

The vulnerability was identified in HTML2PD, version 5.3.0. The discovered vulnerability allows an attacker to create objects of arbitrary classes, fully controlling their properties, thus modify the logic of the web application. Vulnerability status: Confirmed by vendor Date of vulnerability...

PT-2024-36597 · Unknown · Simplexlsx

Name of the Vulnerable Software and Affected Versions: SimpleXLSX versions 1.0.12 through 1.1.12 Description: The issue allows for the execution of arbitrary JavaScript code when calling the extended toHTMLEx method. This can be exploited in versions prior to 1.1.12. The estimated number of...

PT-2024-28848 · Doccano · Doccano

Name of the Vulnerable Software and Affected Versions: Doccano Open source annotation tools for machine learning practitioners version 1.8.4 Doccano Auto Labeling Pipeline module to annotate a document automatically version 0.1.23 Description: The issue allows a remote attacker to escalate...

PT-2023-30245 · Moodle +1 · Moodle +1

Name of the Vulnerable Software and Affected Versions: Moodle version 4.3 Description: The issue allows for reflected XSS in the /grade/report/grader/index.php endpoint when the searchvalue parameter is used, and the user is logged in as a teacher. According to the Moodle Security FAQ, teachers c...

PT-2023-32048 · Field Logic · Field Logic Datacube4

Name of the Vulnerable Software and Affected Versions: Field Logic DataCube4 up to 20231001 Description: A problematic issue was found in the Web API component, affecting unknown code of the file /api/. This leads to improper authentication. The exploit has been disclosed to the public and may be...

PT-2023-26434 · Unknown · Vowifiservice

Name of the Vulnerable Software and Affected Versions: vowifiservice affected versions not specified Description: The issue is related to a possible missing permission check in vowifiservice, which could lead to a local denial of service with no additional execution privileges. Recommendations: A...

PT-2023-33020 · Npm · Fast-Xml-Parser

Name of the Vulnerable Software and Affected Versions: fast-xml-parser affected versions not specified Description: The issue concerns the validation of entity names in the fast-xml-parser code. The current approach checks for the presence of invalid characters, which can be risky as it may not...

PT-2023-10015 · Unknown · Mail Subscribe List Plugin

Name of the Vulnerable Software and Affected Versions: Mail Subscribe List Plugin versions up to 2.0.10 Description: The issue affects some unknown processing of the file index.php. The manipulation of the argument sml name/sml email leads to cross site scripting. The attack may be initiated...

PT-2023-7476 · Unknown · Osprey Pump Controller

Name of the Vulnerable Software and Affected Versions: Osprey Pump Controller version 1.01 Description: The issue is related to a weak session token generation algorithm that can be predicted, potentially allowing an attacker to hijack a session by predicting the session id and gain unauthorized...

PT-2023-14334 · Undefined · Undefined

Name of the Vulnerable Software and Affected Versions: No information is available about the vulnerable software and its affected versions. Description: The record for this issue has been rejected due to non-compliance with CNA rules, as it has not been used. The information is from the National...

PT-2021-4560 · Php +10 · Php +10

Name of the Vulnerable Software and Affected Versions: PHP versions 7.3.x through 7.3.31 PHP versions 7.4.x through 7.4.24 PHP versions 8.0.x through 8.0.11 Description: The issue is related to the PHP FPM SAPI component, where child worker processes can access and modify memory shared with the...

PT-2021-7066 · Linux +8 · Linux Kernel +8

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A flaw in the processing of received ICMP errors, specifically ICMP fragment needed and ICMP redirect, allows an off-path remote user to quickly scan open UDP ports and bypass the sour...

PT-2021-3958 · Apache · Apache Directory Studio

Name of the Vulnerable Software and Affected Versions: Apache Directory Studio versions prior to 2.0.0.v20210213-M16 Description: The issue is related to the absence of protection for service data. An attacker could exploit this to disclose protected information. The problem arises when configure...

PT-2020-17370 · Mediawiki +1 · Mediawiki Casauth Extension +1

Name of the Vulnerable Software and Affected Versions: MediaWiki CasAuth extension versions through 1.35.1 Description: An issue was discovered due to improper username validation, allowing user impersonation with trivial manipulations of certain characters within a given username. An ordinary us...

PT-2021-3378 · Linux +10 · Linux Kernel +10

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.9-rc1 Description: The issue is related to an out-of-bounds memory write flaw in the Linux kernel's joystick devices subsystem. This flaw occurs when a user calls the ioctl JSIOCSBTNMAP function. It allows a...

PT-2019-3113 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.1.8 Description: The issue is related to a double-free error caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. This error can lead to a denial of service. Recommendations: For Linux...

PT-2023-2689 · Linux +7 · Linux Kernel +7

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to the commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 Description: The issue is related to the copy from user function in the Linux kernel, which does not implement the uaccess begin nospec feature. This allows a...

PT-2026-46139

Name of the Vulnerable Software and Affected Versions OpenStack Ironic versions prior to 35.0.2 Description An issue exists where a crafted ISO image can lead to file overwrite via directory traversal during the deployment process. Directory traversal is a technique that allows an attacker to...

PT-2026-45446

A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be...

PT-2026-45546

Name of the Vulnerable Software and Affected Versions Ivanti Neurons for ITSM affected versions not specified Description Improper Access Control allows a remote authenticated attacker to gain administrative access. Recommendations Audit role configurations to ensure permissions are limited to...

PT-2026-45445

A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal one fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made...

PT-2026-45456

FlexRIC v2.0.0 contains reachable assert0 calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type e.g., E2nodeConfigurationUpdate to crash the near-RT RIC process port...

PT-2026-45587

In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch bal due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-41977

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description A stored cross-site scripting XSS issue exists due to improper sanitization of elements. The application permits the use of javascript: URIs within the src attribute, which execute when a malicious...

PT-2026-40762

Exposure of the QKEY used as input into the ‘OTA-Quantum’ device registration process and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affects Symmetric Key Agreement Platform: before 26.03...

PT-2026-40780

Name of the Vulnerable Software and Affected Versions @strapi/upload versions prior to 5.33.3 Description In the Upload plugin, Content API endpoints failed to enforce administrator-configured MIME type restrictions defined in plugin.upload.security.allowedTypes and deniedTypes. While these...

PT-2026-40078

Improper input validation for some Intel Endpoint Management Assistant EMA software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable escalation...

PT-2026-39951

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

PT-2026-39638

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The load checkpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

PT-2026-39634

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its make parquet list.py data processing tool. The script loads PyTorch .pt files utterance embeddings, speaker embeddings, speech tokens using torch.load withou...

PT-2026-38682

Name of the Vulnerable Software and Affected Versions uriparser versions prior to 1.0.2 Description The function family EqualsUri can misclassify two unequal URIs as equal. Recommendations Update to version 1.0.2 or later. As a temporary workaround, restrict the use of the EqualsUri function unti...

PT-2026-38641

Name of the Vulnerable Software and Affected Versions AsusPTPFilter affected versions not specified Description An exposed IOCTL Input/Output Control with insufficient access control allows a local user to bypass driver security mechanisms. This can lead to the unauthorized acquisition of...

PT-2026-38551

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.214 Description The backend conversation change customer action fails to properly validate the customer email variable. While the Change Customer modal filters out-of-scope customers via the mailbox-filtered...

PT-2026-38400

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description The screenshots, tasks, and component link API endpoints allow for the enumeration of translations within a project that the user should not be able to access. Recommendations Update to version 5.17...

PT-2026-38406

Name of the Vulnerable Software and Affected Versions Vercel CLI versions 50.16.0 through 52.0.0 Description When running in non-interactive mode via the --non-interactive flag or auto-detected AI agent, commands that cannot complete autonomously emit JSON payloads containing suggested follow-up...

PT-2026-37289

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0 Description An issue exists where the endpoint 'plugin/CloneSite/cloneClient.json.php' echoes the local CloneSite shared secret, stored in the variable myKey a constant generated via md5$global'systemRootPath...

PT-2026-37283

Name of the Vulnerable Software and Affected Versions Network-AI versions prior to 5.1.3 Description The MCP HTTP transport accepts JSON-RPC tools/call requests without requiring authentication, sessions, origins, or token checks, dispatching them directly to the orchestrator's tool registry...

PT-2026-27137

Name of the Vulnerable Software and Affected Versions GoHarbor versions prior to 2.15.0 Description The use of hard-coded credentials in GoHarbor allows attackers to use the default password and gain access to the web user interface. Recommendations Update GoHarbor to version 2.15.0 or later...

PT-2026-24077

Name of the Vulnerable Software and Affected Versions MobaXterm versions prior to 26.1 Description The software contains an uncontrolled search path element issue. The application uses WinExec to launch Notepad++ without specifying the complete path to the executable when opening files from remot...

PT-2026-23098

Name of the Vulnerable Software and Affected Versions IDC SFX2100 satellite receiver affected versions not specified Description The /sbin/ip utility is installed with the setuid bit set on the IDC SFX2100 satellite receiver. This configuration allows any local user who can execute the binary to...

PT-2026-23554

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description The software uses SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations. SHA-1 is a deprecated cryptographic hash function with known collision weaknesses. A...

PT-2026-3489

Name of the Vulnerable Software and Affected Versions birkir versions prior to 0.4.0.beta.0 Description A flaw exists in birkir that could lead to a denial of service. The issue is located within the GraphQL Array Based Query Batch Handler component, specifically affecting an unknown function...