PT-2026-26477

Name of the Vulnerable Software and Affected Versions DiceBear versions prior to 5.4.4 DiceBear versions 6.1.4 and earlier DiceBear versions 7.1.4 and earlier DiceBear versions 8.0.3 and earlier DiceBear versions 9.4.1 and earlier Description The software does not properly escape SVG attribute...

PT-2026-23289

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Yungen yungen allows PHP Local File Inclusion.This issue affects Yungen: from n/a through = 1.0.12...

PT-2026-23338

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Dixon dixon allows PHP Local File Inclusion.This issue affects Dixon: from n/a through = 1.4.2.1...

PT-2026-23162

Name of the Vulnerable Software and Affected Versions Mikado-Themes Eona versions through 1.3 Description The software contains a flaw related to improper control of filename for include/require statements, specifically a PHP Remote File Inclusion issue. This allows for PHP Local File Inclusion...

PT-2026-42471

Name of the Vulnerable Software and Affected Versions Trend Micro Apex One affected versions not specified Trend Micro Apex One as a Service affected versions not specified Description An origin validation issue in the Apex One/SEP agent allows a local attacker to escalate privileges. This flaw...

PT-2026-22483

Name of the Vulnerable Software and Affected Versions wpForo version 2.4.14 Description The software contains an unauthenticated SQL injection issue in the Topics::get topics function. The problem stems from ineffective sanitization using esc sql on unquoted identifiers within the ORDER BY clause...

PT-2026-21821

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0 Description OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting issue exists in the GAD-7 anxiety assessment form. Authenticated users with clinicia...

PT-2026-21497

A vulnerability was found in a466350665 Smart-SSO up to 2.1.1. Affected by this issue is some unknown functionality of the file smart-sso-server/src/main/resources/templates/login.html of the component Login. Performing a manipulation of the argument redirectUri results in cross site scripting. T...

PT-2026-21123

Name of the Vulnerable Software and Affected Versions TeconceTheme Coven Core versions through 1.3 Description A flaw exists in TeconceTheme Coven Core that allows for Blind SQL Injection due to improper neutralization of special elements used in an SQL command. This issue could potentially allow...

PT-2026-20712

Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fields Form: from n/a through = 5.4.4.1...

PT-2026-40155

Name of the Vulnerable Software and Affected Versions Windows DWM Core Library affected versions not specified Description A buffer over-read in the Windows DWM Core Library allows an authorized attacker to disclose sensitive information locally. Recommendations At the moment, there is no...

PT-2026-20867

Name of the Vulnerable Software and Affected Versions Kata Containers versions prior to 3.27.0 Description Kata Containers is an open source project focused on providing a standard implementation of lightweight Virtual Machines VMs that function like containers. A flaw in Kata with Cloud Hypervis...

PT-2026-20865

Name of the Vulnerable Software and Affected Versions wpForo Forum plugin versions prior to 2.4.15 Description The wpForo Forum plugin for WordPress is susceptible to time-based SQL Injection through the wpfob parameter. Insufficient escaping of user-supplied input and inadequate SQL query...

PT-2026-8246

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough networks parameter in vpn ipsec settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough networks parameter to...

PT-2026-8238

A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs gtp2 parse tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf0.content.length results in denial of service. The attack is possible to be...

PT-2026-8032

Name of the Vulnerable Software and Affected Versions Calero VeraSMART versions prior to 2022 R1 Description The application uses static machineKey values configured for the VeraSMART web application and stored in 'C:Program Files x86VeramarkVeraSMARTWebRootweb.config'. An attacker obtaining thes...

PT-2026-8024

Name of the Vulnerable Software and Affected Versions lakeFS versions prior to 1.77.0 Description lakeFS, an open-source tool for transforming object storage into Git-like repositories, contains path traversal issues in its local block adapter pkg/block/local/adapter.go. The verifyRelPath functio...

PT-2026-7806

Name of the Vulnerable Software and Affected Versions AdForest versions up to and including 6.0.12 Description The AdForest theme for WordPress is susceptible to authentication bypass. The issue stems from insufficient user identity verification before authentication via the sb login user with ot...

PT-2026-7516

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.7 through 18.7.3 GitLab CE/EE versions 18.8 through 18.8.3 Description An unauthenticated user could cause a denial of service through CPU exhaustion by submitting specially crafted markdown files. These files trigger...

PT-2026-7774

Name of the Vulnerable Software and Affected Versions iOS versions prior to 26.3 iPadOS versions prior to 26.3 Description An input validation issue allows a person with physical access to an iOS device to potentially access photos from the lock screen. Recommendations Update to iOS version 26.3 ...

PT-2026-7274

An Improper Verification of Source of a Communication Channel vulnerability CWE-940 vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions may allow an authenticated user with knowledge of FSSO policy configurations t...

PT-2026-7288

Name of the Vulnerable Software and Affected Versions Intel Ethernet Controller E810 firmware versions prior to cvl fw 1.7.8.x Description An uncaught exception in the firmware of certain 100GbE Intel Ethernet Controller E810 devices running Ring 0: Bare Metal OS may lead to a denial of service. ...

PT-2026-7312

Name of the Vulnerable Software and Affected Versions IntelR NPU Drivers affected versions not specified Description An improper conditions check in some firmware for IntelR NPU Drivers within Ring 1 may allow a denial of service. An unprivileged software adversary with an authenticated user and ...

PT-2026-6667

Name of the Vulnerable Software and Affected Versions The Timeline Block – Beautiful Timeline Builder for WordPress versions up to and including 1.3.3 Description The software is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a user-controlled key...

PT-2026-6862

Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this require...

PT-2026-5733

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4...

PT-2026-5959

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw exists in Moodle due to improper sanitization of AI prompt responses. This allows attackers to inject malicious HTML or script into web pages. Successful exploitation could lead to...

PT-2026-5600

A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon check session url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an...

PT-2026-6479

Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified. Impact - Function and Payload...

PT-2026-5584

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.29 Description An authentication bypass issue exists in the WebSocket gateway of OpenClaw. The software fails to validate the user-supplied gatewayUrl parameter before initializing WebSocket connections. This...

PT-2026-5329

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24 cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is neede...

PT-2026-5221

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0 Description NocoDB has a stored cross-site scripting XSS issue in its attachment handling. Authenticated users can upload malicious SVG files containing embedded JavaScript. These files are rendered inline and...

PT-2026-4690

In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-4605

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin setting...

PT-2026-4606

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-3908

Horilla is a free and open source Human Resource Management System HRMS. A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker...

PT-2026-3801

Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative...

PT-2026-3881

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete comment function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to...

PT-2026-3578

Name of the Vulnerable Software and Affected Versions Nexter Extension – Site Enhancements Toolkit plugin for WordPress versions through 4.4.6 Description The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrust...

PT-2026-3423

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitatio...

PT-2026-2827

Name of the Vulnerable Software and Affected Versions WordPress List Site Contributors plugin versions up to and including 1.1.8 Description The List Site Contributors plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to inadequate input sanitization and output...

PT-2026-2806

Name of the Vulnerable Software and Affected Versions Cal.com versions 3.1.6 through 6.0.6 Description Cal.com, an open-source scheduling software, has a critical flaw in a custom NextAuth JWT callback. This issue allows attackers to gain full authenticated access to any user's account by supplyi...

PT-2026-1805

Name of the Vulnerable Software and Affected Versions Dell PowerProtect Data Domain versions 7.7.1.0 through 8.4.0.0 Dell PowerProtect Data Domain LTS2025 version 8.3.1.10 Dell PowerProtect Data Domain LTS2024 versions 7.13.1.0 through 7.13.1.40 Dell PowerProtect Data Domain LTS2023 versions...

PT-2026-2257

Name of the Vulnerable Software and Affected Versions Mediawiki - ApprovedRevs Extension versions 1.39 through 1.45 Description The Mediawiki - ApprovedRevs Extension contains a flaw related to improper encoding or escaping of output due to magic word replacement in ParserAfterTidy. This can lead...

PT-2026-1709

Name of the Vulnerable Software and Affected Versions Contact Form vCard Generator versions up to and including 2.4 Description The Contact Form vCard Generator plugin for WordPress has a flaw where a missing capability check on the wp gvccf check download request function allows unauthorized...

PT-2026-2140

Name of the Vulnerable Software and Affected Versions Snuffleupagus versions prior to 0.13.0 Description Snuffleupagus is a module designed to increase the cost of attacks against websites by eliminating bug classes and offering a virtual patching system. In deployments of Snuffleupagus before...

PT-2026-1227

Name of the Vulnerable Software and Affected Versions QOCA aim AI Medical Cloud Platform affected versions not specified Description The QOCA aim AI Medical Cloud Platform, developed by Quanta Computer, contains a SQL Injection flaw. This allows authenticated remote attackers to inject arbitrary...

PT-2026-1291

Name of the Vulnerable Software and Affected Versions Campcodes Supplier Management System version 1.0 Description A flaw exists in Campcodes Supplier Management System version 1.0, specifically within the file /retailer/edit profile.php. The manipulation of the txtRetailerAddress argument can le...

PT-2026-27708

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.19.0-rc1+ 21 Description The Linux kernel contained a flaw in the XDP eXpress Data Path implementation where a negative tailroom could be calculated. This occurs when ethernet drivers report XDP RX queue frag...

PT-2026-20446

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Linux kernel’s ksmbd module where an infinite loop can occur due to an incorrect reset of the next smb2 rcv hdr off pointer in error paths during SMB2 signature...