PT-2026-43259

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

PT-2026-43355

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description An OS command injection issue exists in the MikroTik router integration plugin. The log function in src/mikrotik plugin/fastnetmon mikrotik.php constructs shell commands by...

PT-2026-43326

A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has...

PT-2026-43320

Name of the Vulnerable Software and Affected Versions Joomla affected versions not specified Description The password and username reset features generate plain http links even when https connections are used, provided the "Force SSL" flag is not explicitly enabled. This leads to a transport...

PT-2026-43274

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The log function in src/juniper plugin/fastnetmon juniper.php lines 117-118 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

PT-2026-43295

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper validation of user-supplied input leads to a local file inclusion, which allows an attacker to include files on the local server. Recommendations At the...

PT-2026-43290

Name of the Vulnerable Software and Affected Versions com content affected versions not specified Description Lack of output escaping in the readmore links for com content allows for a Cross-Site Scripting XSS vector. XSS is a flaw where an attacker can inject malicious scripts into web pages...

PT-2026-43359

A maliciously crafted TIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process...

PT-2026-43234

An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based attacker to permanently prevent legitimate users from interacting with the service...

PT-2026-43191

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service DoS via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing...

PT-2026-43160

A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access controls. The attack can b...

PT-2026-47004

In tmux before version 3.1c the function input csi dispatch sgr colon in file input.c contained a stack-based buffer-overflow that can be exploited by terminal output...

PT-2026-47113

Lua 5.4.0 fixed in 5.4.1 has a segmentation fault in changedline in ldebug.c e.g., when called by luaG traceexec because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function...

PT-2026-43301

Name of the Vulnerable Software and Affected Versions Twenty versions prior to 1.18.1 Description An issue exists in the file serving endpoints '/files/' and '/file/:fileFolder/:id' where uploaded files are served using fileStream.piperes without specifying Content-Type, Content-Disposition, or...

PT-2026-43422

Name of the Vulnerable Software and Affected Versions macOS versions prior to Sequoia 15.7 macOS versions prior to Tahoe 26 Description A race condition exists that allows an application to gain root privileges, enabling unauthorized access to system resources. This issue has been exploited in...

PT-2026-43183

A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/edit team.php. The manipulation of the argument num id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be...

PT-2026-43366

Name of the Vulnerable Software and Affected Versions IBM HTTP Server version 8.5 IBM HTTP Server version 9.0 Description An invalid pointer dereference occurs in the Administration Server. A privileged, authenticated user can exploit this issue to cause a denial of service or expose sensitive...

PT-2026-47105

A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability...

PT-2026-43200

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23...

PT-2026-43384

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1...

PT-2026-43440

Name of the Vulnerable Software and Affected Versions Pterodactyl versions prior to 1.12.3 Description The Client API contains a logic flaw allowing users to bypass assigned limits for database allocations. This occurs because the database locking mechanism within the controllers is ineffective...

PT-2026-43289

Name of the Vulnerable Software and Affected Versions Joomla CMS affected versions not specified Description Lack of output escaping in the content history component allows for a Cross-Site Scripting XSS vector. XSS is a flaw where an attacker injects malicious scripts into content that is then...

PT-2026-43176

A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00ACPS.2C0, GS1200-8v3 firmware versions through 1.00ACPT.2C0, GS1200-5HPv3 firmware versions through 1.00ACPU.2C0, GS1200-8HPv3 firmware versions through 1.00ACPV.2C0, and GS1200-10v3 firmware versions through...

PT-2026-43276

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description The software exposes a gRPC API server on port 50052 that lacks an authentication mechanism. The server is initialized using grpc::InsecureServerCredentials, allowing any user...

PT-2026-43348

Name of the Vulnerable Software and Affected Versions Chatwoot versions 2.2.0 through 4.11.1 Description An issue exists in the conversation and contact filter APIs where user-supplied values in the values field of the filter payload are interpolated directly into SQL queries without...

PT-2026-43402

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code executi...

PT-2026-43363

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request...

PT-2026-43358

A maliciously crafted PAR file, when parsed through Autodesk 3ds Max, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition...

PT-2026-43210

This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks...

PT-2026-43412

There is a mitigation bypass / incomplete fix for CVE-2025-62582 Unauthenticated Remote Database Access An unauthenticated remote attacker can access configured databases in a DIAView project...

PT-2026-43345

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting XSS via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and...

PT-2026-43270

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description An out-of-bounds read exists in the NetFlow v9 data flowset processor within the src/netflow plugin/netflow v9 collector.cpp file. The Data template branch iterates over flow...

PT-2026-45150

Name of the Vulnerable Software and Affected Versions MariaDB server versions 3.3.18 MariaDB server versions 3.4.8 Description An issue exists where applications using the big5 character set and text protocol are susceptible to SQL injections. This occurs when non-validated user input is processe...

PT-2026-43429

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a stats...

PT-2026-43294

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An improper access check allows unauthorized access to com config webservice endpoints. Recommendations At the moment, there is no information about a newer...

PT-2026-43414

Name of the Vulnerable Software and Affected Versions epa4all-client versions prior to 1.2.5 Description Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In misconfigured deployments, such as those...

PT-2026-43241

Name of the Vulnerable Software and Affected Versions HiDraw affected versions not specified Description A heap-based buffer overflow occurs in the XML parser functionality. An authenticated malicious user with local access can exploit this by using a specially crafted XML file, leading to memory...

PT-2026-43388

A flaw has been found in itsourcecode Student Transcript Processing System 1.0. This vulnerability affects unknown code of the file /admin/modules/student/trans.php. Executing a manipulation of the argument studentId/cid can lead to sql injection. The attack can be launched remotely. The exploit...

PT-2026-43205

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7...

PT-2026-44501

CVE-2026-42347 - Apache HTTP Server Authentication Bypass CVE ID :CVE-2026-42347 Published : May 26, 2026, 3:16 p.m. | 53 minutes ago Description :Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-28496. Reason: This candidate is a duplicate of CVE-2026-28496. Notes:...

PT-2026-44505

CVE-2026-43919 - Apache HTTP Server Remote Code Execution Vulnerability CVE ID :CVE-2026-43919 Published : May 26, 2026, 3:16 p.m. | 53 minutes ago Description :Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-43918. Reason: This candidate is a duplicate of...

PT-2026-43321

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Inadequate content filtering within the checkAttribute methods leads to Cross-Site Scripting XSS, a condition where malicious scripts are injected into otherwise...

PT-2026-43268

e107 is a content management system CMS. Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4...

PT-2026-43184

A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly...

PT-2026-43254

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the...

PT-2026-47098

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability...

PT-2026-43342

NVIDIA Display Driver for Linux contains a vulnerability in a kernel module, where a user could cause a race condition by reordering compiler or processor memory instructions. A successful exploit of this vulnerability might lead to denial of service...

PT-2026-43442

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

PT-2026-47119

An issue in the component luaG runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs...

PT-2026-43246

Name of the Vulnerable Software and Affected Versions Squirrel versions prior to 3.3 Description A heap-based buffer overflow occurs in the Cnut File Handler component within the ReadObject function of the squirrel/sqobject.cpp file. This issue allows a local attacker to perform a manipulation th...