PT-2026-43258

Name of the Vulnerable Software and Affected Versions Mirasvit Full Page Cache Warmer for Magento 2 versions prior to 1.11.12 Description A PHP object injection issue exists due to the unrestricted use of the native unserialize function. Unauthenticated attackers can achieve remote code execution...

PT-2026-43392

Name of the Vulnerable Software and Affected Versions symfony/polyfill-intl-idn versions prior to 1.x Description The Idn::process function fails to enforce the validity criterion defined in UTS 46 revision 33 Section 4 step 4.1.2. Specifically, it does not verify that a label prefixed with xn--...

PT-2026-44401

Name of the Vulnerable Software and Affected Versions Notepad++ affected versions not specified Description Multiple issues exist in the software. The config.xml configuration file fails to neutralize special elements when processing the commandLineInterpreter parameter. Additionally, the...

PT-2026-43387

A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0. This affects an unknown part of the file /admin/modules/student/index.php?view=view. Performing a manipulation of the argument studentId results in sql injection. The attack can be initiated remotely. The explo...

PT-2026-45146

Name of the Vulnerable Software and Affected Versions MariaDB server versions 10.6.1 through 10.6.25 MariaDB server versions 10.11.1 through 10.11.16 MariaDB server versions 11.4.1 through 11.4.10 MariaDB server versions 11.8.1 through 11.8.6 MariaDB server version 12.3.1 Description During the...

PT-2026-43303

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A null pointer dereference occurs in the Bluetooth L2CAP component within the l2cap sock new connection cb function. A null pointer dereference is a runtime error that happens when a...

PT-2026-43370

Name of the Vulnerable Software and Affected Versions IBM HTTP Server versions 8.5 and 9.0 IBM WebSphere Application Server versions 8.5 and 9.0 IBM WebSphere Application Server Liberty versions 8.5 and 9.0 Description IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty...

PT-2026-43332

Name of the Vulnerable Software and Affected Versions NVIDIA Display Driver for Windows and Linux affected versions not specified Description An issue exists where an attacker could leak held driver locks, which may lead to a denial of service a condition where users are unable to access a system...

PT-2026-45149

Name of the Vulnerable Software and Affected Versions MariaDB server versions 10.6.1 through 10.6.25 MariaDB server versions 10.11.1 through 10.11.16 MariaDB server versions 11.4.1 through 11.4.10 MariaDB server versions 11.8.1 through 11.8.6 MariaDB server version 12.3.1 Description The mbstream...

PT-2026-43406

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

PT-2026-43297

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

PT-2026-43318

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An improper access check allows low privileged users to edit the task types of existing scheduler tasks. Recommendations At the moment, there is no information...

PT-2026-47095

Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting XSS such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscripten run script...

PT-2026-43425

Name of the Vulnerable Software and Affected Versions Vanetza versions 26.02 and earlier Description A denial-of-service issue exists in the cryptographic verification pipeline. When processing incoming V2X messages, the ASN.1 decoder accepts structures as syntactically valid even if semantic...

PT-2026-43415

A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version...

PT-2026-43237

When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway...

PT-2026-43396

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.1 Description An issue exists in the OSS file service URL fetch endpoint "chat/api/oss/get url" where inconsistent URL parsing between the urlparse validation function and the requests HTTP client allows for a...

PT-2026-43316

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An improper access check allows privilege escalation through the com users batch task. Recommendations At the moment, there is no information about a newer versi...

PT-2026-43367

Name of the Vulnerable Software and Affected Versions IBM HTTP Server version 8.5 IBM HTTP Server version 9.0 Description An issue exists that allows a denial of service via the optional module mod mem cache. Recommendations Restrict the use of the mod mem cache module to minimize the risk of...

PT-2026-47101

A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...

PT-2026-43417

A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be...

PT-2026-47106

A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as...

PT-2026-43267

e107 is a content management system CMS. Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, o...

PT-2026-43206

Name of the Vulnerable Software and Affected Versions Magentech SW Core versions prior to 1.7.18 Description Improper Control of Filename for Include/Require Statement in PHP Program PHP Remote File Inclusion allows for PHP Local File Inclusion. This occurs when the application fails to properly...

PT-2026-43390

CISA added an actively exploited Drupal SQL injection to its KEV catalog and gave federal agencies until Wednesday evening to patch. If you're running Drupal in production and haven't patched CVE-2025-50329, you're exposed to trivial database compromise. No auth required. cybersecurity infosec...

PT-2026-47112

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj jp2 read header may lead to OOB heap memory write when the data stream p stream is too short and p image is not initialized...

PT-2026-43423

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data...

PT-2026-47100

A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application...

PT-2026-47097

A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used...

PT-2026-43245

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...

PT-2026-43280

IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions...

PT-2026-43339

Name of the Vulnerable Software and Affected Versions NVIDIA Display Driver for Linux affected versions not specified Description An out-of-bounds read issue exists, which occurs when a program reads data outside the intended boundary of a buffer. This could allow a user to cause a denial of...

PT-2026-43340

Name of the Vulnerable Software and Affected Versions NVIDIA Display Driver for Linux affected versions not specified Description An issue exists in the Multi-Instance GPU MIG partition management due to insecure default initialization of memory subsystem routing resources. This flaw can result i...

PT-2026-43446

Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Details The issue is caused by the combination of these code paths: - server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-k...

PT-2026-43447

Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplie...

PT-2026-43265

Name of the Vulnerable Software and Affected Versions Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x Description A Server-Side Request Forgery SSRF and local file access issue exists where the jarURI in FlinkSessionJob is not validated. This allows a user with CR create permission...

PT-2026-45147

Name of the Vulnerable Software and Affected Versions MariaDB server versions 11.4.1 through 11.4.10 MariaDB server versions 11.8.1 through 11.8.6 MariaDB server version 12.3.1 Description A user granted EXECUTE access to a stored routine through a role can view the routine definition, even if th...

PT-2026-43452

TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...

PT-2026-45151

Name of the Vulnerable Software and Affected Versions MariaDB versions 10.6.1 through 10.6.25 MariaDB versions 10.11.1 through 10.11.16 MariaDB versions 11.4.1 through 11.4.10 MariaDB versions 11.8.1 through 11.8.6 MariaDB version 12.3.1 Description MariaDB allows the execution of 'SELECT ... INT...

PT-2026-43410

A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit...

PT-2026-43408

Uncontrolled Resource Consumption vulnerability in oban-bg oban web 'Elixir.Oban.Web.CronExpr' modules allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 ". When a user with...

PT-2026-43346

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

PT-2026-43328

A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely...

PT-2026-43164

A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be...

PT-2026-43354

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.3.0 Description A configuration injection issue exists in the Juniper router integration plugin. In the file src/juniper plugin/fastnetmon juniper.php, the variable IP ATTACK received from argv1...

PT-2026-43349

Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover Pre-ATO vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not...

PT-2026-43239

A Check Point HTTP-based service can incorrectly handle malformed HTTP requests. The issue is related to HTTP request parsing and validation...

PT-2026-43188

A weakness has been identified in Totolink CA750-PoE 6.2c.510. Impacted is the function setUpgradeUboot of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The...

PT-2026-43198

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

PT-2026-43271

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description An out-of-bounds read exists in the NetFlow v9 options template parser. In the process netflow v9 options template function, the scope parsing loop iterates until scopes offset...