PT-2026-43356

🚨 CVE-2026-48696 FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689. 🎖@cveNotify...

PT-2026-43257

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...

PT-2026-43263

Name of the Vulnerable Software and Affected Versions Genetec RabbitMQ affected versions not specified Description A high-severity issue in the deployment of Genetec RabbitMQ that enables a privilege escalation attack, allowing an attacker to gain higher levels of permissions than intended...

PT-2026-43444

Name of the Vulnerable Software and Affected Versions Yamcs versions prior to 5.12.7 Yamcs versions prior to 5.13.0 Description An LDAP injection occurs in org.yamcs.security.LdapAuthModule during the construction of search filters. The username parameter is inserted directly into the LDAP filter...

PT-2026-43283

Name of the Vulnerable Software and Affected Versions IBM Cloud Pak for Data System - Cyclops versions 11.3.0.2 through Interim Fix 002 Description IBM Cloud Pak for Data System uses default passwords from the manufacturing process during the installation process, which could allow an attacker to...

PT-2026-43166

Name of the Vulnerable Software and Affected Versions Archive::Tar versions prior to 3.10 Description Archive::Tar for Perl allows memory exhaustion when processing a tar header with an attacker-controlled entry size field. The read tar function reads each entry's payload using $handle-read$$data...

PT-2026-47096

A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclos...

PT-2026-43162

Name of the Vulnerable Software and Affected Versions Archive::Tar versions prior to 3.08 Description Archive::Tar for Perl allows the extraction of symlinks with attacker-controlled targets located outside the extraction directory. The function make special file passes the tar header's linkname ...

PT-2026-43374

Name of the Vulnerable Software and Affected Versions IBM Engineering Lifecycle Management versions 7.0.3 Interim Fix 001 through Interim Fix 021 IBM Engineering Lifecycle Management versions 7.1.0 Interim Fix 001 through Interim Fix 009 IBM Engineering Lifecycle Management versions 7.2.0 through...

PT-2026-43203

Name of the Vulnerable Software and Affected Versions MediaArea MediaInfoLib affected versions not specified Description A heap buffer overflow occurs during the parsing of ID3v2 tags. A heap buffer overflow is a memory corruption issue that happens when a program writes more data to a...

PT-2026-43391

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Forgejo versions prior to 1.26.2 Description An access control issue in the container registry allows unauthenticated remote attackers to pull private container images without credentials. The system failed to...

PT-2026-44504

CVE-2026-43919 - Apache HTTP Server Remote Code Execution Vulnerability CVE ID :CVE-2026-43919 Published : May 26, 2026, 3:16 p.m. | 53 minutes ago Description :Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-43918. Reason: This candidate is a duplicate of...

PT-2026-44374

Name of the Vulnerable Software and Affected Versions Notepad++ versions prior to 8.9.6.1 Description Multiple issues exist in the software, including a buffer over-read in the inter-process communication mechanism that can lead to a denial of service. Additionally, remote code execution is...

PT-2026-44400

Name of the Vulnerable Software and Affected Versions Notepad++ versions prior to 8.9.6.1 Description An issue exists in the processing of the commandLineInterpreter parameter within the config.xml configuration file. The software fails to neutralize special elements, which allows an attacker to...

PT-2026-43450

TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. This vulnerability is of high severity fo...

PT-2026-47109

Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service DoS. This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files...

PT-2026-43627

Name of the Vulnerable Software and Affected Versions tmp affected versions not specified Description The tmp npm package contains a path traversal issue that allows escaping the intended temporary directory when untrusted data is passed into the prefix, postfix, or dir options. By embedding...

PT-2026-43448

Name of the Vulnerable Software and Affected Versions Samba versions 4.1 through 4.23.8 Description A flaw exists in Samba file servers and classic domain controllers that utilize the check password script feature. When this script is configured using the %u substitution character, the...

PT-2026-43439

Name of the Vulnerable Software and Affected Versions ctdb versions prior to 4.23.8+git.477.f78166bceed-1.1 Description A denial of service issue exists against the AD DC WINS server. Recommendations Update to version 4.23.8+git.477.f78166bceed-1.1...

PT-2026-43446

Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Details The issue is caused by the combination of these code paths: - server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-k...

PT-2026-43447

Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplie...

PT-2026-43265

Name of the Vulnerable Software and Affected Versions Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x Description A Server-Side Request Forgery SSRF and local file access issue exists where the jarURI in FlinkSessionJob is not validated. This allows a user with CR create permission...

PT-2026-45147

Name of the Vulnerable Software and Affected Versions MariaDB server versions 11.4.1 through 11.4.10 MariaDB server versions 11.8.1 through 11.8.6 MariaDB server version 12.3.1 Description A user granted EXECUTE access to a stored routine through a role can view the routine definition, even if th...

PT-2026-43452

TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...

PT-2026-45151

Name of the Vulnerable Software and Affected Versions MariaDB versions 10.6.1 through 10.6.25 MariaDB versions 10.11.1 through 10.11.16 MariaDB versions 11.4.1 through 11.4.10 MariaDB versions 11.8.1 through 11.8.6 MariaDB version 12.3.1 Description MariaDB allows the execution of 'SELECT ... INT...

PT-2026-43309

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description An integer overflow occurs during packet capture buffer allocation in the allocate buffer function. The software calculates memory size in bytes using 32-bit unsigned integer...

PT-2026-43400

Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7 Description The Spindle extension build pipeline executes bun install without the --ignore-scripts flag before performing the static backend safety scan via the assertSafeBackendBundle function. This allows a...

PT-2026-43194

A flaw has been found in Totolink CA750-PoE 6.2c.510. This affects the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument PIN can lead to os command injection. It is possible to launch the attack remotely. The...

PT-2026-43380

A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. T...

PT-2026-43299

Name of the Vulnerable Software and Affected Versions Traccar versions prior to 6.13.0 Description An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the permissionsService.checkEdit function. While the system uses...

PT-2026-43281

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the...

PT-2026-43353

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

PT-2026-43195

Name of the Vulnerable Software and Affected Versions Mayosis Core versions prior to 5.4.7 Description Missing Authorization in TeconceTheme Mayosis Core allows for the exploitation of incorrectly configured access control security levels. Recommendations Update to a version later than 5.4.7...

PT-2026-43236

The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used 4500/UDP. As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service temporary interruption of VPN...

PT-2026-43403

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

PT-2026-47107

There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability...

PT-2026-43426

Name of the Vulnerable Software and Affected Versions code-projects Project Management System version 1.0 Description A SQL injection issue exists within the Login component in the chk.php file. This flaw allows a remote attacker to manipulate an unknown function to execute arbitrary SQL commands...

PT-2026-43179

A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument...

PT-2026-43252

Name of the Vulnerable Software and Affected Versions libyang versions prior to 5.2.6 Description A heap use-after-free write occurs in the lyd parser set data flags function. This happens when the software incorrectly updates metadata list pointers while freeing non-head default metadata entries...

PT-2026-47116

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.05.4.3 allows attackers to perform Sandbox Escape via a crafted script file...

PT-2026-47117

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read...

PT-2026-43399

Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7 Description The consumeNonce function only verifies that a module-level variable is set and has not expired, failing to validate values from the incoming HTTP request or bind the nonce to the administrator's...

PT-2026-43262

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

PT-2026-43310

FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS PATH attribute encoder. In src/bgp protocol.hpp, the IPv4UnicastAnnounce::get attributes function computes attribute length as 'sizeofbgp as path segment element t + this-as path asns.size sizeofuint32 t' and...

PT-2026-43327

A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation...

PT-2026-43350

Name of the Vulnerable Software and Affected Versions OpenCTI versions prior to 6.9.7 Description An organization administrator can escalate their privileges by adding a user from a different organization who possesses higher privileges into their own organization. This occurs due to an incorrect...

PT-2026-43317

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An improper access check allows privilege escalation through the com users batch task. Recommendations At the moment, there is no information about a newer versi...

PT-2026-43337

Name of the Vulnerable Software and Affected Versions NVIDIA Display Driver for Linux affected versions not specified Description A flaw exists in a kernel mode layer handler that allows a user to cause improper permission handling. This issue could lead to denial of service, escalation of...

PT-2026-43338

Name of the Vulnerable Software and Affected Versions NVIDIA Display Driver for Linux affected versions not specified Description A flaw exists in the Unified Video Memory UVM component due to improper input validation. This issue allows a user to trigger a condition that may result in a denial o...

PT-2026-43259

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...