184379 matches found
PT-2026-50699
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 including earlier versions were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input...
PT-2026-50709
Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.468 Description An issue exists in the unauthenticated 'POST /api/onboarding/oauth/start' endpoint that allows for unbounded accumulation of in-memory flow state and daemon threads. This can lead to resource...
PT-2026-50791
Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 7.12.1 Description In certain configurations, traffic intended to be protected by TLS on the hop to the proxy is transmitted in cleartext. This occurs when an application uses the built-in cURL handlers...
PT-2026-50740
Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...
PT-2026-50723
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites and plugins that process untrusted input using the writer or list fields, or specific sanitization methods, are subject to stored cross-site scripting XSS. XSS...
PT-2026-50571
Name of the Vulnerable Software and Affected Versions ThingsBoard affected versions not specified Description Prototype pollution occurs when an attacker can manipulate the prototype of an object, potentially leading to arbitrary code execution within a sandboxed context. This issue can be...
PT-2026-50355
Unauthenticated Broken Authentication in SMS Alert Order Notifications = 3.9.3 versions...
PT-2026-50309
Unauthenticated SQL Injection in Blocksy Companion Pro 2.1.29 versions...
PT-2026-50373
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7...
PT-2026-50295
Subscriber Broken Access Control in MetForm Pro = 3.9.1 versions...
PT-2026-50283
Unauthenticated Cross Site Scripting XSS in Skillate = 1.2.10 versions...
PT-2026-50469
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the reduce trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable,...
PT-2026-50311
Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...
PT-2026-50456
Name of the Vulnerable Software and Affected Versions undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description The WebSocket client fails to limit the number of fragments in a message, only enforcing the maxPayloadSize on the...
PT-2026-50274
Unauthenticated PHP Object Injection in ThemeREX Addons = 2.36.1.1 versions...
PT-2026-50294
Subscriber Broken Access Control in WishList Member X = 3.29.0 versions...
PT-2026-50411
Unauthenticated Local File Inclusion in Kastell = 2.0 versions...
PT-2026-50289
Unauthenticated Local File Inclusion in EcoBlue = 1.15 versions...
PT-2026-50555
Name of the Vulnerable Software and Affected Versions Steeltoe.Discovery.Eureka versions prior to 3.4.0 Steeltoe.Discovery.Eureka versions prior to 4.2.0 Description The DataCenterInfo.FromJson function throws an ArgumentException when it encounters any name value other than "MyOwn" or "Amazon"...
PT-2026-50584
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Description Authenticated self routes under the /api/v1/user/... group do not properly enforce the public-only token restriction. This allows a token or OAuth grant marked as public-only to access or modify priva...
PT-2026-50201
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A use-after-free issue exists in DigitalCredentials. This occurs when a program continues to use a pointer after it has been freed, which can lead to memory corruption. A remote attack...
PT-2026-50532
Name of the Vulnerable Software and Affected Versions Punto Switcher affected versions not specified Description An unquoted-path flaw allows the execution of attacker-placed code at the user's privilege level. This issue occurs during a call made by a signed Windows binary at launch, enabling...
PT-2026-50407
Unauthenticated PHP Object Injection in Zoya = 1.4 versions...
PT-2026-50347
Subscriber SQL Injection in Cornerstone 7.8.8 versions...
PT-2026-50399
Unauthenticated Local File Inclusion in Uppercase 1.2.2 versions...
PT-2026-50282
Unauthenticated Cross Site Scripting XSS in Auto Repair = 22.6 versions...
PT-2026-50327
Unauthenticated Cross Site Scripting XSS in Profile Builder Pro = 3.15.0 versions...
PT-2026-50463
Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager affected versions not specified Description An improper neutralization of special elements used in an SQL command, known as SQL Injection, allows a low privileged attacker with adjacent network access to potentially caus...
PT-2026-50190
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A use after free issue in DigitalCredentials on Windows allows a remote attacker to potentially perform a sandbox escape by using a crafted HTML page. Use after free occurs when an...
PT-2026-50250
Got 2 CVEs today: CVE-2026-46655 - virtio-win kvm-guest-drivers - 7.8 High CVE-2026-46977 - Oracle VirtualBox - 3.2 Low...
PT-2026-50359
Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...
PT-2026-50243
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...
PT-2026-50340
Unauthenticated Broken Authentication in wpForo Forum = 3.1.0 versions...
PT-2026-50197
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A heap buffer overflow occurs in WebRTC, which is a framework that enables real-time communication such as voice and video calls within web browsers. This issue allows a remote attacke...
PT-2026-50313
CP Client Arbitrary File Download in Client Portal Pro = 5.6.2 versions...
PT-2026-50358
Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...
PT-2026-50492
Name of the Vulnerable Software and Affected Versions Pi versions prior to 0.79.0 Description Pi loaded project-local configuration and resources from a repository's .pi directory, including executable TypeScript or JavaScript modules known as project-local extensions, without requiring the user ...
PT-2026-50418
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0...
PT-2026-50350
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
PT-2026-50271
Unauthenticated Local File Inclusion in HomeRoofer = 2.11.0 versions...
PT-2026-50486
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description A path traversal issue exists in the cache file serving endpoint '/cache/path:path' that allows authenticated users with the role of user or admin to read files from sibling directories outside th...
PT-2026-50479
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The chat message listener in the chat page's window message listener processes input:prompt and action:submit messages without enforcing same-origin restrictions. This allows an external site to s...
PT-2026-50251
Name of the Vulnerable Software and Affected Versions Trivy versions prior to 0.71.1 Description Trivy improperly trusts the org.opencontainers.image.title annotation in an OCI artifact manifest, using it as the destination filename when downloading content without proper validation or...
PT-2026-50338
Unauthenticated SQL Injection in JetEngine 3.8.9.1 versions...
PT-2026-50300
Unauthenticated Sensitive Data Exposure in Bricksforge = 3.1.8.4 versions...
PT-2026-50266
Unauthenticated Cross Site Scripting XSS in my flatonica = 0.0.8 versions...
PT-2026-50192
Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.155 Description A use after free issue in the Passwords component allows a remote attacker to execute arbitrary code when a user accesses a specially crafted HTML page. Use after free is a...
PT-2026-50079
Unauthenticated Local File Inclusion in Learnify = 1.15.0 versions...
PT-2026-49893
Name of the Vulnerable Software and Affected Versions Oracle WebCenter Content version 12.2.1.4.0 Oracle WebCenter Content version 14.1.2.0.0 Description An issue exists in the Content Server component of the Oracle WebCenter Content product within Oracle Fusion Middleware. A low privileged...
PT-2026-50119
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only...