PT-2026-48520

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends...

PT-2026-48160

A NULL pointer dereference in the gf odf vvc cfg write bs function odf/descriptors.c of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service DoS via supplying a crafted MP4 file...

PT-2026-47653

Spring MVC and WebFlux applications are vulnerable to Denial of Service DoS attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

PT-2026-47806

Name of the Vulnerable Software and Affected Versions Ivanti Sentry versions prior to R10.5.2 Ivanti Sentry versions prior to R10.6.2 Ivanti Sentry versions prior to R10.7.1 Description An OS command injection flaw allows a remote unauthenticated user to execute arbitrary code with root privilege...

PT-2026-48201

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the gotoUrl parameter of the formPortalAuth function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

PT-2026-48287

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this iss...

PT-2026-47996

Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally...

PT-2026-47747

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 Description The cache frontend...

PT-2026-48097

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's...

PT-2026-47800

Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy CSP, this allows a malicious plugin to execute arbitrary...

PT-2026-47754

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the KVM arm64 component where the kvm-arch.nested mmus array is accessed under the kvm-mmu lock, including within the MMU notifier path via the functions kvm unmap gfn...

PT-2026-47535

SAP MDG Review Match Groups Application does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while...

PT-2026-47837

Name of the Vulnerable Software and Affected Versions OpenSSL affected versions not specified Description A NULL pointer dereference can occur in a CMP client application when processing a crafted CMP response. An attacker controlling a CMP server or acting as a man-in-the-middle can send a CRMF...

PT-2026-47971

Name of the Vulnerable Software and Affected Versions .NET affected versions not specified Description Improper link resolution before file access, also known as link following, allows an unauthorized attacker to perform local tampering. Recommendations At the moment, there is no information abou...

PT-2026-48064

Name of the Vulnerable Software and Affected Versions Adobe Experience Manager versions 6.5.24 and earlier Adobe Experience Manager versions LTS SP1 and earlier Adobe Experience Manager versions 2026.04 and earlier Description A stored Cross-Site Scripting XSS issue allows a low-privileged attack...

PT-2026-48009

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally...

PT-2026-48304

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

PT-2026-48280

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to...

PT-2026-48265

Name of the Vulnerable Software and Affected Versions Focus for iOS versions prior to 151.3.1 Klar for iOS versions prior to 151.3.1 Description Universal Cross-Site Scripting UXSS exists in the Webkit navigation of Focus for iOS and Klar for iOS. UXSS is a security flaw that allows an attacker t...

PT-2026-48164

An issue was discovered in bitbank2 AnimatedGIF v2.2.0. A buffer overflow in the DecodeLZW function allows remote attackers to cause a denial of service crash or potentially execute arbitrary code via a crafted GIF file...

PT-2026-47729

SQL injection in the ‘two steps auth code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL...

PT-2026-48251

Name of the Vulnerable Software and Affected Versions Acrobat Reader versions 24.001.30365 through 26.001.21651 Description A Use After Free issue exists in the AcroForm component, which could lead to arbitrary code execution in the context of the current user. This occurs when a victim opens a...

PT-2026-48256

Name of the Vulnerable Software and Affected Versions Acrobat Reader versions 24.001.30365 through 26.001.21651 Description An out-of-bounds read issue exists where the software reads data outside the intended boundary of a buffer, which can lead to the disclosure of sensitive memory. An attacker...

PT-2026-48290

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description When OIDC OpenID Connect, an identity layer on top of the OAuth 2.0 protocol authentication is enabled in the configuration, unauthenticated clients can cause a...

PT-2026-48003

Name of the Vulnerable Software and Affected Versions Windows RDP affected versions not specified Description An out-of-bounds read in Windows Remote Desktop Protocol RDP allows an unauthenticated and unauthorized attacker to disclose information from memory over a network. Recommendations At the...

PT-2026-48007

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally...

PT-2026-48244

This update for xen fixes the following issues: - CVE-2026-42487: x86 HVM I/O port list traversal bsc1266952. - CVE-2026-42488: x86: mismatched mapcache metadata bsc1266955. - CVE-2026-42489,CVE-2026-42490: domctl lock open to abuse bsc1266953...

PT-2026-47970

Improper authorization in .NET allows an authorized attacker to elevate privileges locally...

PT-2026-48318

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11;...

PT-2026-47855

Name of the Vulnerable Software and Affected Versions OpenSSL affected versions not specified Description A signed integer overflow occurs when sizing the destination buffer for Unicode output in the ASN1 mbstring ncopy function, which can lead to a heap buffer overflow. This happens in ASN1...

PT-2026-47963

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Improper neutralization of input during web page generation leads to cross-site scripting, which allows an authorized attacker to perform spoofing over a network. Cross-si...

PT-2026-47868

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 on-premises allows an authorized attacker to elevate privileges over a network...

PT-2026-48011

Name of the Vulnerable Software and Affected Versions Active Directory Domain Services affected versions not specified Description A stack-based buffer overflow allows an authorized attacker to execute arbitrary code over a network, which can affect the system. A stack-based buffer overflow occur...

PT-2026-47697

Out-of-bounds write vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability...

PT-2026-47952

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network...

PT-2026-48162

A NULL pointer dereference in the ctts box write function isomedia/box code base.c of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service DoS via supplying a crafted MP4 file...

PT-2026-47680

Name of the Vulnerable Software and Affected Versions WP-Ultimate-Map versions prior to 1.2 Description The plugin is subject to Cross-Site Request Forgery CSRF and Stored Cross-Site Scripting XSS. The issue occurs because the process init function, which is hooked to admin init, fails to validat...

PT-2026-47755

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Linux kernel where hugetlb VMA lock allocation is incorrectly handled during the mmap prepare stage. If an allocation fails after mmap prepare is called, it may...

PT-2026-48074

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser...

PT-2026-48266

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can...

PT-2026-48136

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

PT-2026-47923

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally...

PT-2026-47643

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17...

PT-2026-48291

In MongoDB Server 8.0, an aggregation stage can leave its subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid addres...

PT-2026-48233

Name of the Vulnerable Software and Affected Versions QEMU affected versions not specified Description An integer overflow exists in the calc image hostmem function, which can lead to local privilege escalation. Recommendations At the moment, there is no information about a newer version that...

PT-2026-47793

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0.12-1.1 Description An off-by-one error exists in the rockchip rkcif media component. The issue occurs due to incorrect comparisons using instead of = when accessing arrays, which can lead to accessing one...

PT-2026-47529

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server ABAP affected versions not specified SAP ABAP Platform affected versions not specified Description Improper RFC Remote Procedure Call protocol validation in the SAP Kernel allows an unauthenticated attacker to...

PT-2026-48177

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.32204 was discovered to contain a stack overflow in the wl radio parameter of the formwrlSSIDget function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...

PT-2026-47812

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in MOSK Information Technologies Ltd. CBS Platform allows SQL Injection. This issue affects CBS Platform: through 09062026. NOTE: The vendor was contacted and it was learned that the product is not...

PT-2026-48236

21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. The autonomous agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP...