Lucene search
K
PtsecurityMost viewed

184321 matches found

Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43403

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

9.3CVSS5.7AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43406

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

6.9CVSS5.8AI score0.00083EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43438

Name of the Vulnerable Software and Affected Versions Samba affected versions not specified Description A flaw exists in the handling of certificate auto-enrollment Group Policy. When this feature is enabled, Samba may retrieve a CA certificate via an unencrypted HTTP connection and install it in...

8CVSS5.8AI score0.02669EPSS
Exploits0References103
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43452

TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...

8.8CVSS6AI score0.00173EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43356

🚨 CVE-2026-48696 FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689. 🎖@cveNotify...

6.2CVSS6AI score0.00124EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43399

Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7 Description The consumeNonce function only verifies that a module-level variable is set and has not expired, failing to validate values from the incoming HTTP request or bind the nonce to the administrator's...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-44504

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description Authenticated sessions for client, staff, or admin accounts are not invalidated when the account is suspended or marked inactive. The session identity loaders in src/di.php loggedin client and...

8.7CVSS6AI score0.00235EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43348

Name of the Vulnerable Software and Affected Versions Chatwoot versions 2.2.0 through 4.11.1 Description An issue exists in the conversation and contact filter APIs where user-supplied values in the values field of the filter payload are interpolated directly into SQL queries without...

8.5CVSS6AI score0.00227EPSS
Exploits1References4
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43349

Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover Pre-ATO vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not...

6.8CVSS5.8AI score0.00344EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/26 12:0 a.m.•18 views

PT-2026-43162

Name of the Vulnerable Software and Affected Versions Archive::Tar versions prior to 3.08 Description Archive::Tar for Perl allows the extraction of symlinks with attacker-controlled targets located outside the extraction directory. The function make special file passes the tar header's linkname ...

9.1CVSS5.8AI score0.0043EPSS
Exploits0References49
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43029

Name of the Vulnerable Software and Affected Versions SourceCodester Simple POS and Inventory System version 1.0 Description An issue exists in the GET Parameter Handler component where the delete function within the '/admin/deleteproduct.php' endpoint is susceptible to SQL injection. This occurs...

5.8CVSS5.8AI score0.00258EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-42999

A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and m...

7.5CVSS6.8AI score0.00293EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43087

A flaw has been found in dazeb markdown-downloader up to 3d4394b34b6c99d81af817623af55e3384df5a6a. Affected is the function download markdown/list downloaded files/create subdirectory of the file src/index.ts. Executing a manipulation can lead to path traversal. The attack can be launched remotel...

6.5CVSS6.3AI score0.00337EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43137

Name of the Vulnerable Software and Affected Versions Autoship Cloud for WooCommerce Subscription Products versions prior to 2.14.1 Description A missing authorization issue exists in the Autoship Cloud for WooCommerce Subscription Products plugin, which allows for the exploitation of incorrectly...

4.3CVSS5.8AI score0.002EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-42979

A vulnerability was detected in Totolink A8000RU 7.1cu.643 b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be...

10CVSS7AI score0.01732EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-42991

A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly...

5.3CVSS4.2AI score0.00263EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43077

A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible...

7.5CVSS6.8AI score0.00319EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43075

A vulnerability was detected in Edimax EW-7438RPn 1.31. Affected by this vulnerability is the function formWpsProxyEnable of the file /goform/formWpsProxyEnable. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be launched remotely. The exploit is...

9CVSS7.9AI score0.00589EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43084

A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm logged in of the file student trans.php. Such manipulation of the argument FIRST NAME/Last Name/EMAIL leads to sql injection. It is...

7.5CVSS6.9AI score0.00319EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43117

A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engin...

6.5CVSS6.2AI score0.00295EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-42993

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network...

4.8CVSS5.6AI score0.00179EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43079

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.16 Apache Syncope versions 4.0 through 4.0.5 Apache Syncope version 4.1.0 Description An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL Java Expression Language...

4.9CVSS5.8AI score0.00436EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/05/25 12:0 a.m.•18 views

PT-2026-43071

Name of the Vulnerable Software and Affected Versions hackney versions 0 through 4.0.0 Description Improper Neutralization of CRLF Sequences allows HTTP Request Splitting. The software fails to percent-encode carriage return r or line feed characters in the URL query component before constructing...

7.5CVSS5.9AI score0.00421EPSS
Exploits1References9
Positive Technologies
Positive Technologies
•added 2026/05/24 12:0 a.m.•18 views

PT-2026-42950

Name of the Vulnerable Software and Affected Versions Edimax EW-7438RPn version 1.31 Description A stack-based buffer overflow can be executed remotely via the formHwSet function located in the '/goform/formHwSet' endpoint. This occurs through the manipulation of the Anntena, Mcs, regDomain,...

9CVSS7.5AI score0.00445EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/24 12:0 a.m.•18 views

PT-2026-42935

A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The...

6.5CVSS6.3AI score0.00195EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/24 12:0 a.m.•18 views

PT-2026-42925

Name of the Vulnerable Software and Affected Versions Ettercap versions prior to 0.8.4 Description A heap-based buffer overflow occurs in the GG Dissector component within the FUNC DECODER function of the src/dissectors/ec gg.c file. This issue is triggered by the manipulation of the gg argument...

6.3CVSS6.2AI score0.00319EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/05/23 12:0 a.m.•18 views

PT-2026-42872

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.8 Description Authenticated non-admin members can connect to the server-status WebSocket endpoint '/api/v1/ws/server' and receive telemetry for all servers, including those owned by other users. Whil...

6.5CVSS5.2AI score0.0027EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/05/23 12:0 a.m.•18 views

PT-2026-42873

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.2 Description The "PUT /api/environments/id/templates/variables" endpoint, used to write the system-wide .env.global file for variable substitution in project compose files, lacks an admin authorization check. Any...

8.8CVSS6.5AI score0.00245EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42721

An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic...

9.2CVSS5.8AI score0.00291EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42734

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map meta cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

4.3CVSS5.8AI score0.00236EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42831

Name of the Vulnerable Software and Affected Versions Docker Model Runner on macOS affected versions not specified Description The MLX inference backend uses the MLX-LM library, which imports and executes arbitrary Python files from model directories via the model file configuration field in the...

8.8CVSS6.3AI score0.00224EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42825

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.17.0 Description The WhatsApp Cloud API webhook endpoint 'POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook' fails to verify the x-hub-signature-256 HMAC signature provided by Meta. Because the...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42723

Name of the Vulnerable Software and Affected Versions WP Blockade versions prior to 0.9.15 Description The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the...

6.1CVSS5.9AI score0.00249EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42832

Name of the Vulnerable Software and Affected Versions TP-Link range extenders affected versions not specified Description An authentication logic flaw allows an unauthenticated attacker on an adjacent network to reset the administrator password due to insufficient validation of a login parameter...

8.8CVSS5.8AI score0.00398EPSS
Exploits0References15
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42800

An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components...

6.2AI score0.00324EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42848

Name of the Vulnerable Software and Affected Versions M365 Copilot affected versions not specified Description Improper neutralization of special elements used in a command, known as command injection, allows an unauthorized attacker to disclose information over a network. Recommendations At the...

7.5CVSS5.8AI score0.00503EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42728

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS6AI score0.00249EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42745

Name of the Vulnerable Software and Affected Versions Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 Description Improper validation of file ownership and access control in the Boards API allows an authenticated user to access and downloa...

7.5CVSS5.8AI score0.00149EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/05/22 12:0 a.m.•18 views

PT-2026-42706

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An authenticated SSH client can cause unbounded memory growth by repeatedly opening channels that are rejected by the server. This leads to the server process...

6.5CVSS5.8AI score0.00196EPSS
Exploits0
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42614

📋 Reframing 2026-05-02: implicit unsafe remote-code path, not "supply-chain" The accurate description of this vulnerability is: "get model arch and related helpers hardcode trust remote code=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch." What this...

7.8CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42555

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An inverted CSRF token check in the DeleteFile controller allows unauthorized file deletion. The system incorrectly throws an error when the token is valid and proceeds with the deletion process...

2.3CVSS5.8AI score0.00116EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42462

Name of the Vulnerable Software and Affected Versions WifiBurada versions prior to 21052026 Description Insufficiently protected credentials in WifiBurada allow for authentication bypass, which can lead to the exposure of private personal information to an unauthorized actor. Recommendations Upda...

7.1CVSS5.9AI score0.00224EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42549

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description A Cross-Site Request Forgery CSRF token validation bypass exists where the local available update.php view emits a token via $token-output'do update', but the do update function in...

8.8CVSS5.7AI score0.00132EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42463

Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any w...

7.5CVSS5.8AI score0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42846

Name of the Vulnerable Software and Affected Versions Microsoft Copilot affected versions not specified Description Improper neutralization of special elements used in a command, known as command injection, allows an unauthorized attacker to perform tampering over a network. Recommendations At th...

9.4CVSS5.8AI score0.0042EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42493

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm id POST parameter directly into an HTML form input value attribute. Attackers ca...

5.4CVSS5.8AI score0.00212EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42394

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

6.4CVSS6AI score0.00337EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42533

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process ajax restore action function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access a...

4.3CVSS5.8AI score0.00192EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42659

Name of the Vulnerable Software and Affected Versions UniFi OS affected versions not specified Description An improper input validation issue exists in UniFi OS devices. A remote actor with network access can exploit this flaw to perform a command injection, which allows the execution of arbitrar...

10CVSS6.2AI score0.78555EPSS
Exploits2References52
Positive Technologies
Positive Technologies
•added 2026/05/21 12:0 a.m.•18 views

PT-2026-42666

Name of the Vulnerable Software and Affected Versions md-fileserver versions prior to 1.10.3 Description A cross-site scripting XSS issue exists in the Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML, such as tags or event handlers e.g., , is processed...

7.2CVSS5.5AI score0.00213EPSS
Exploits0References4
Total number of security vulnerabilities5000