Lucene search
K
PtsecurityMost viewed

184427 matches found

Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•19 views

PT-2026-55401

Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfiles uri value for example...

8.1CVSS6.4AI score
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•19 views

PT-2026-55198

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do image upload function where user-supplied input from the acceptFileTypes PO...

9.8CVSS6AI score0.00542EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•19 views

PT-2026-55246

A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing CORS misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session...

7.5CVSS5.7AI score0.00141EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•19 views

PT-2026-54935

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.14.0 Description When authentication is enabled, the trace API endpoints lack proper authorization validators. This occurs because the before request handler fails to register authorization validators for these...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References9
Positive Technologies
Positive Technologies
•added 2026/07/01 12:0 a.m.•19 views

PT-2026-54495

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data title, price, weight, stock status, and...

5.8AI score0.00284EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/01 12:0 a.m.•19 views

PT-2026-54694

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.46 Description A heap buffer overflow exists in Skia, a graphics library used by the browser. This issue allows a remote attacker who has already compromised the renderer process to potentially achiev...

9.6CVSS6.2AI score0.00413EPSS
Exploits0References440
Positive Technologies
Positive Technologies
•added 2026/06/30 12:0 a.m.•19 views

PT-2026-55180

These are all security issues fixed in the python311-jupyter-server-2.20.0-1.1 package on the GA media of openSUSE Tumbleweed...

9.3CVSS5.8AI score0.00227EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53615

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syft function for remote execution on the server. While a...

9.8CVSS6.6AI score0.00631EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53170

A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform...

2.4CVSS5.4AI score0.00133EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53529

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution RCE instead of the intended explanation of the natural language processing by the LLM. The security controls of PandasAI 2.4.3 and earlier fail ...

9.8CVSS6.5AI score0.01183EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53448

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active...

9.1CVSS5.7AI score0.02119EPSS
Exploits0References18
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53587

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment...

9.8CVSS6.4AI score0.81512EPSS
Exploits6References18
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53676

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth...

6.1CVSS5.9AI score0.00168EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53288

Subscriber Broken Access Control in MainWP = 6.1.1 versions...

6.3CVSS5.8AI score0.00249EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/29 12:0 a.m.•19 views

PT-2026-53349

Missing JWT signature check GHSL-2022-078 The StatelessTokenService of the DataHub metadata service GMS does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because...

9.9CVSS5.8AI score0.00851EPSS
Exploits1References10
Positive Technologies
Positive Technologies
•added 2026/06/26 12:0 a.m.•19 views

PT-2026-52692

Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers...

7.5CVSS5.8AI score0.00245EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/26 12:0 a.m.•19 views

PT-2026-52958

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The wbt init enable default function uses WARN ON ONCE to check for failures from wbt alloc and wbt init. However, these are expected failure paths: wbt alloc may return NULL during memo...

5.8AI score0.001EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/26 12:0 a.m.•19 views

PT-2026-52860

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

7.5CVSS5.8AI score0.00432EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/26 12:0 a.m.•19 views

PT-2026-52694

Name of the Vulnerable Software and Affected Versions libnfs versions prior to 6.0.2 Description An integer underflow occurs in the READ IOVEC section of the rpc read from socket function within lib/socket.c. This issue is triggered during a connection to a crafted NFS server when the expected PD...

7.1CVSS6.1AI score0.00195EPSS
Exploits0References16
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52449

Name of the Vulnerable Software and Affected Versions Nokogiri versions prior to 1.19.4 Description Nokogiri contains a bug occurring when certain methods are called on native wrapper classes that inherit from Nokogiri::XML::Node and have been allocated but not initialized. This leads to a NULL...

7.5CVSS5.7AI score0.00357EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52616

Name of the Vulnerable Software and Affected Versions Flowise affected versions not specified Description An unauthenticated path traversal issue exists in the '/api/v1/document-store/loader/process' endpoint. This flaw allows attackers to write arbitrary files to the filesystem by using...

10CVSS6.7AI score0.00639EPSS
Exploits1References10
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52598

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but permits multiple endpoints to connect using the same session identifie...

7.3CVSS5.7AI score0.00246EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52200

Name of the Vulnerable Software and Affected Versions shell-quote versions prior to 1.8.5 Description The parse function finalizes parsed tokens using Array.prototype.concat as a reduce accumulator, causing the entire growing array to be reallocated and copied during every iteration. This results...

8.7CVSS6.2AI score0.0036EPSS
Exploits0References14
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52487

Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create...

2.3CVSS5.8AI score0.0017EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52552

RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64...

7.1CVSS6.2AI score0.00239EPSS
Exploits1References3
Positive Technologies
Positive Technologies
•added 2026/06/25 12:0 a.m.•19 views

PT-2026-52618

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.201 Description An integer overflow exists in Mojo, a Chromium IPC Inter-Process Communication framework. This issue allows a remote attacker who has already compromised the renderer process to...

8.3CVSS5.9AI score0.00177EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/06/24 12:0 a.m.•19 views

PT-2026-52151

Name of the Vulnerable Software and Affected Versions Quest NetVault Backup affected versions not specified Description A flaw in the processing of NVBUDashboard JSON-RPC messages allows remote attackers to execute arbitrary code in the context of NETWORK SERVICE. The issue stems from insufficien...

8.8CVSS7.7AI score0.00689EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/06/24 12:0 a.m.•19 views

PT-2026-51986

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the BPF Berkeley Packet Filter verifier regarding linked register delta tracking. When the source register src reg and destination register dst reg are pointers to the...

7.8CVSS5.9AI score0.00125EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/24 12:0 a.m.•19 views

PT-2026-51980

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The bcmgenet timeout handler incorrectly attempts to shut down all transmit tx queues when only a single queue experiences a timeout. This behavior creates race conditions—situations whe...

9.8CVSS5.8AI score0.00386EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/24 12:0 a.m.•19 views

PT-2026-51821

A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain. A...

8.8CVSS6.6AI score0.00181EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/24 12:0 a.m.•19 views

PT-2026-51747

Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description A flaw in the cookie parsing logic allows a malicious HTTP server to set super cookies that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that...

9.1CVSS5.8AI score0.00649EPSS
Exploits1References29
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•19 views

PT-2026-51627

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Password-reset tokens are generated using the account-activation lifetime conf.Auth.ActivateCodeLives instead of the intended password-reset lifetime conf.Auth.ResetPasswordCodeLives. Because the token...

6.8CVSS5.9AI score0.00202EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•19 views

PT-2026-51536

Name of the Vulnerable Software and Affected Versions Control Builder A versions prior to 1.4/4 800xA for Advant Master versions prior to 6.0.3-1 800xA for Advant Master versions prior to 6.1.1-1 800xA for Advant Master version 6.1.1-3 800xA for Advant Master version 6.2.0-1 Description An...

4.4CVSS5.8AI score0.00083EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51454

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0 Description An authentication bypass exists in the Budibase server route POST /api/attachments/:datasourceId/url because it lacks the authorized... middleware. An anonymous attacker who can enumerate a workspa...

9.4CVSS6AI score0.00415EPSS
Exploits1References6
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51431

Name of the Vulnerable Software and Affected Versions motionEye versions prior to 0.44.0 Description Configuration files /etc/motioneye/motion.conf and camera-.conf are created with 644 permissions, making them readable by any local user on the system. The motion.conf file contains sensitive data...

5.5CVSS5.7AI score0.02902EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51310

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A site administrator can configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Since log entries can contain attacker-controlled content, an authenticated attacker...

8.7CVSS6.4AI score0.00383EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51418

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.22.1 Description vLLM is an inference and serving engine for large language models. The Dockerfile is susceptible to a dependency confusion attack involving the flashinfer-jit-cache package. This occurs because the...

8.8CVSS6.2AI score0.00304EPSS
Exploits1References6
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51455

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description Actual is a local-first personal finance tool that fails to neutralize formula-trigger characters when exporting data to CSV. The functions exportToCSV and exportQueryToCSV in...

4.2CVSS6.7AI score0.00286EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51315

Name of the Vulnerable Software and Affected Versions libxml2 versions 2.9.11 through 2.11.0 Description A Use After Free issue exists in the xmlParseInternalSubset function of libxml2. This occurs due to improper entity resolution handling, which allows a remote attacker to cause a...

8.3CVSS5.8AI score0.00289EPSS
Exploits0References13
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51292

Name of the Vulnerable Software and Affected Versions Net::Statsite::Client versions prior to 1.1.1 Description Net::Statsite::Client, a client for the statsite protocol a variant of statsd, allows metric injections. This occurs because newlines are not removed from metric names, and values are n...

9.1CVSS5.9AI score0.00352EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•19 views

PT-2026-51386

Name of the Vulnerable Software and Affected Versions mise versions prior to 2026.3.10 Description mise processes .tool-versions files using the Tera template engine, which includes a registered exec function that allows for arbitrary command execution. In the default non-paranoid mode,...

9.6CVSS6AI score0.00685EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/06/21 12:0 a.m.•19 views

PT-2026-51233

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.13 Craft CMS versions 4.0.0-RC1 through 4.17.7 Description An authorization bypass exists in the 'assets/preview-file' endpoint. The system fails to enforce per-asset view authorization before returning...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/06/21 12:0 a.m.•19 views

PT-2026-51232

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 Description A missing authorization issue exists in the 'assets/preview-thumb' endpoint. A Control Panel user lacking permissions to view a specific privat...

5.3CVSS6AI score0.00193EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/21 12:0 a.m.•19 views

PT-2026-51203

Name of the Vulnerable Software and Affected Versions Edimax BR-6478AC V2 version 1.23 Description A buffer overflow can be triggered remotely via the POST Request Handler. The issue exists within the formWlSiteSurvey function located in the /goform/formWlSiteSurvey file, specifically through the...

9CVSS7.6AI score0.00455EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/20 12:0 a.m.•19 views

PT-2026-51149

Name of the Vulnerable Software and Affected Versions capgo versions prior to 12.128.2 Description An authorization bypass exists in several Supabase PostgREST RPC functions: get app metrics, get global metrics, and get total metrics. These functions are granted to the anon role without enforcing...

6.9CVSS5.8AI score0.00274EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/20 12:0 a.m.•19 views

PT-2026-51145

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.8 Description Insufficient input filtering in chat messages and custom agent functions allows for cross-site scripting XSS, a flaw where malicious scripts are injected into trusted websites. An attacker can execut...

6.1CVSS5.8AI score0.00222EPSS
Exploits1References9
Positive Technologies
Positive Technologies
•added 2026/06/20 12:0 a.m.•19 views

PT-2026-51043

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the public.upsert version meta SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version meta...

6.9CVSS6AI score0.00235EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/20 12:0 a.m.•19 views

PT-2026-51152

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An information disclosure issue exists in the unauthenticated '/replication' endpoint. This allows attackers to retrieve internal PostgreSQL replication telemetry without authentication, exposing...

6.9CVSS5.9AI score0.00239EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/20 12:0 a.m.•19 views

PT-2026-51159

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An open redirect issue exists in the 'confirm-signup' endpoint. The confirmation url parameter is not validated, which allows attackers to redirect users to arbitrary external websites. This can be...

5.1CVSS6AI score0.0018EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/19 12:0 a.m.•19 views

PT-2026-50865

Name of the Vulnerable Software and Affected Versions GPU DDK affected versions not specified Description Software run by a non-privileged user can execute improper GPU system calls to trigger an error path, resulting in a Use-After-Free UAF of GPU page tables. This occurs because an error recove...

7.7CVSS5.7AI score0.0011EPSS
Exploits0References5
Total number of security vulnerabilities5000