Lucene search
K
PtsecurityRecent

184427 matches found

Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.5 views

PT-2026-52874

Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing t...

5.3CVSS5.6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.18 views

PT-2026-51498

Name of the Vulnerable Software and Affected Versions ProfileGrid versions prior to 5.9.9.3 Description The ProfileGrid plugin for WordPress contains a Stored Cross-Site Scripting issue due to insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level acces...

6.4CVSS6AI score0.00201EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51481

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.4AI score0.00339EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.6 views

PT-2026-55574

This update for podman rebuilds it against the current go security release...

5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51500

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the 'POST /private/role bindings' endpoint. The system fails to verify the ownership of the app id during the creation of app-scoped role bindings. This allows an...

8.6CVSS5.8AI score0.00356EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.15 views

PT-2026-51635

Impact OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can b...

7CVSS5.8AI score0.00256EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.4 views

PT-2026-55662

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.4CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51587

Name of the Vulnerable Software and Affected Versions Ansible affected versions not specified Description In the plugins/modules/nexmo.py module, the api key and api secret variables are marked as no log=True to prevent them from being logged. However, these credentials are URL-encoded and includ...

6.5CVSS5.8AI score0.00287EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51493

picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported tensor ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load...

8.1CVSS6.2AI score0.00379EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51513

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 Description A heap use-after-free exists in the meta coder. This occurs when memory allocation fails and a single byte is written to a stale pointer. Remote attacke...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References78
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51511

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attacke...

8.7CVSS5.9AI score0.00334EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51642

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An authorization bypass exists in the BulkAssetsController::update function. The system accepts the company id variable directly from user input without utilizing the standard company-scopin...

6.3CVSS5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51620

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.5.0 Description A missing authorization issue allows a user with permissions to edit other users to reset the two-factor authentication 2FA of a superadmin. Recommendations Update to version 8.5.0...

5.8CVSS5.9AI score0.00019EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51641

Name of the Vulnerable Software and Affected Versions mise versions 2026.3.15 through 2026.6.3 Description mise loads the github.credential command setting from local project configuration files before any trust decision is made. When resolving a GitHub token, the software executes the value of...

6.3CVSS6.2AI score0.00159EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51634

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description The Jupyter Notebook ipynb sanitizer endpoint at 'POST /-/api/sanitize ipynb' allows arbitrary data: URIs without proper restrictions, which can lead to Cross-Site Scripting XSS. The endpoint utilizes...

6.4CVSS6AI score0.00677EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.32 views

PT-2026-51630

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Git LFS storage is content-addressed by OID Object Identifier alone, while per-repository authorization is managed in the lfs object table. The serveUpload function skips the re-upload process when an...

7.1CVSS5.8AI score0.00236EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.24 views

PT-2026-51458

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Organization team member management can be performed via GET requests without Cross-Site Request Forgery CSRF protection. CSRF is a security flaw where an attacker tricks a logged-in user into executin...

8.8CVSS6AI score0.00248EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51632

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description The built-in Go SSH server in Gogs is subject to an unauthenticated, asymmetric Denial of Service DoS attack. The application accepts inbound TCP connections and passes them to the ssh.NewServerConn...

6.9CVSS5.9AI score0.00547EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.6 views

PT-2026-51623

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description A Server-Side Request Forgery SSRF issue exists in the repository migration functionality. The application validates the hostname of the initially submitted URL against a blocklist of local and...

8.7CVSS5.9AI score0.00384EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51628

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description Gogs contains an authorization bypass in its Git Smart HTTP handler for repository RPCs. The system determines the authorization policy based on the client-supplied service query parameter rathe...

7.1CVSS6AI score0.00427EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51624

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Authenticated users can achieve Remote Code Execution RCE on the server during the "Rebase before merging" operation in pull requests. The issue stems from improper argument handling where the base...

9.9CVSS6.2AI score0.01029EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51459

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An information disclosure issue exists in the Mirror Settings functionality, which allows authenticated users to import local repositories from the server filesystem. This occurs due to a lack o...

8.1CVSS5.8AI score0.00569EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.6 views

PT-2026-51520

Name of the Vulnerable Software and Affected Versions dnsmasq affected versions not specified Description An out-of-bounds read occurs in the find soa function within src/rfc1035.c. During the parsing of NS section records, the extract name function is called with extrabytes=0, which fails to...

5.3CVSS6AI score0.00239EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51554

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 6.0.7 Description Insufficient validation of user input during the process of saving delivery limitations allows a low-privileged user to inject malicious PHP code into the compiledlimitations database field v...

8.8CVSS6.8AI score0.00499EPSS
Exploits2References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.13 views

PT-2026-51551

A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership...

4.3CVSS5.8AI score0.00235EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51590

Name of the Vulnerable Software and Affected Versions GStreamer gst-plugins-bad affected versions not specified Description A flaw in the gst-plugins-bad package occurs when processing a specially crafted H.264 video file containing malformed Multiview Video Coding MVC or Scalable Video Coding SV...

4.4CVSS5.8AI score0.00119EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.14 views

PT-2026-51470

Name of the Vulnerable Software and Affected Versions FAST/TOOLS versions R9.01 through R10.04 CI Server versions R1.01 through R1.04 Description The web server may return a response containing CI Server setting information, which could be exploited by an attacker to facilitate further attacks...

8.2CVSS5.8AI score0.00217EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51478

Name of the Vulnerable Software and Affected Versions Frontend File Manager Plugin versions prior to 23.7 Description Insufficient sanitization and escaping of filenames submitted to the frontend file-rename endpoint allows a Stored Cross-Site Scripting XSS issue. This occurs when the filename is...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.6 views

PT-2026-51614

Summary Description An insufficient authorization CWE-285 and information exposure CWE-200 issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects...

9.8CVSS7.2AI score0.01978EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.13 views

PT-2026-51572

Name of the Vulnerable Software and Affected Versions OpenStack Swift versions prior to 2.37.2 Description The proxy-server fails to strip internal update headers from client requests before forwarding them to object-servers. An authenticated user with write access can inject the headers...

5.4CVSS6AI score0.00146EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51559

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51515

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml load string without disabling external entity loading, enabling attackers to inject XXE payloa...

7.1CVSS6AI score0.00233EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.13 views

PT-2026-51608

Name of the Vulnerable Software and Affected Versions FlatPress versions prior to commit 10be83c Description A stored cross-site scripting issue exists in comment and contact forms. The name, URL, and email fields are rendered without proper output encoding in Smarty templates. This allows...

8.4CVSS5.9AI score0.00243EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51621

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description An open redirect issue exists where attacker-controlled redirect to parameters can bypass validation, allowing redirection to arbitrary external sites. This occurs in all redirects validated via the...

5.4CVSS6AI score0.00554EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.7 views

PT-2026-51647

Summary The ActionHandler.post method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts PTZ controls, alarm triggers, etc.. Vulnerability Details File:...

5.3CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.15 views

PT-2026-51592

Name of the Vulnerable Software and Affected Versions foreman-mcp-server affected versions not specified Description Two distinct logging mechanisms in the software can expose sensitive session and authentication data. One mechanism logs session identifiers, which function as authentication...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51625

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Gitea affected versions not specified Description A stored DOM-based Cross-Site Scripting XSS issue exists where an attacker can store an HTML or JavaScript payload in a milestone name. When a user opens th...

4.8CVSS6AI score0.00483EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51633

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Gogs contains an information disclosure issue where the 'GET /api/v1/orgs/:orgname/teams' endpoint returns all teams for any organization without requiring authentication. This occurs because the route...

6.9CVSS5.9AI score0.01553EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51573

Name of the Vulnerable Software and Affected Versions GNU libidn versions prior to 1.44 Description An issue exists in the ToUnicode APIs due to mishandling in the idna to unicode internal function, which can lead to out-of-bounds reads of uninitialized memory. Recommendations Update to version...

4CVSS5.8AI score0.0011EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.17 views

PT-2026-51583

Name of the Vulnerable Software and Affected Versions rtk versions prior to 0.42.2 Description A flaw in the permission splitter logic fails to conservatively split or reject certain Bash shell constructs that create command-execution boundaries or nested execution. This improper input validation...

7.8CVSS6.2AI score0.00128EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51557

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...

4.3CVSS5.8AI score0.00235EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51480

An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability...

8.6CVSS6AI score0.00306EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.28 views

PT-2026-51499

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode each/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...

8.7CVSS5.9AI score0.00707EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51639

Summary The fix for CVE-2026-33482 GHSA-pmj8-r2j7-xg6c is incomplete. That advisory reported that sanitizeFFmpegCommand plugin/API/standAlone/functions.php failed to strip $... command substitution, allowing OS command injection at the execAsync sh -c sink. The fix commit 25c8ab90 added $, , , , ...

8.1CVSS6.2AI score0.02061EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51617

Name of the Vulnerable Software and Affected Versions opentelemetry-ebpf-profiler versions prior to 0.0.202622 Description An unprivileged process can cause a denial of service on the ebpf-profiler agent by triggering the processPIDEvents goroutine to block indefinitely. This occurs when the...

6.2CVSS5.9AI score0.00017EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.15 views

PT-2026-51522

🚨 CVE-2026-35018 NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

8.8CVSS6.6AI score0.00664EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.15 views

PT-2026-51563

Name of the Vulnerable Software and Affected Versions dhcpcd versions prior to 10.3.2 Description A one-byte stack out-of-bounds write exists in the dhcp6 makemessage function within src/dhcp6.c. Unauthenticated attackers on the same link can trigger this by serializing an oversized RFC6603 OPTIO...

6.5CVSS5.9AI score0.00175EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51565

Name of the Vulnerable Software and Affected Versions dhcpcd versions prior to 10.3.2 Description An issue in the IPv6 Router Advertisement route information handling allows an unauthenticated attacker on the same link to cause a denial of service. By repeatedly sending crafted Router...

7.1CVSS5.7AI score0.00187EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.5 views

PT-2026-55562

This update for sg3 utils fixes the following issues: - sg inq: --export output conformance for SCSI name string and ATA fields bsc1267823 - rescan-scsi-bus.sh: quote $id serial in findmultipath call bsc1268201...

5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51477

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors vi...

5.7AI score0.00156EPSS
Exploits0References2
Total number of security vulnerabilities184427