Lucene search
K
PtsecurityRecent

184508 matches found

Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51629

Name of the Vulnerable Software and Affected Versions Gogs versions 0.14.0 through 0.14.2 Description An issue exists where the UploadRepoFiles function only checks for symbolic links at the leaf of the upload target using osx.IsSymlink, unlike other functions that validate every component of the...

9CVSS6.7AI score0.00474EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•13 views

PT-2026-51507

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description Multiple OS command injection issues exist in the Custom MCP Server feature. These occur due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker wi...

9.9CVSS6.2AI score0.02683EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•7 views

PT-2026-55662

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.4CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•13 views

PT-2026-51581

Name of the Vulnerable Software and Affected Versions ash-project ash versions 3.0.0 through 3.29.2 Description An issue exists where users can set the value of a private action argument intended to be controlled exclusively by trusted server-side code. Action arguments declared with public?: fal...

5.9CVSS5.7AI score0.00152EPSS
Exploits0References13
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•18 views

PT-2026-53084

Name of the Vulnerable Software and Affected Versions 7-Zip for Windows versions prior to 26.02 Description 7-Zip fails to preserve the Mark-of-the-Web MotW when extracting a specially crafted RAR5 archive. The software uses a guard to suppress archive-supplied Zone.Identifier streams, but it onl...

4.8CVSS5.8AI score0.00119EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•10 views

PT-2026-51637

Name of the Vulnerable Software and Affected Versions Budibase server versions prior to 3.39.1 Description An issue exists where the enrichContext function substitutes parameter values into the raw JSON body of a query and then parses the result using JSON.parse. The validateQueryInputs function...

10CVSS5.9AI score0.00538EPSS
Exploits2References11
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•8 views

PT-2026-55663

Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal Summary Myself and others have reported several RCE vulnerabilities to this project. However, due to the nature of the app, these are largely not of all that much value, as there is built-in functionality to...

10CVSS6.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•3 views

PT-2026-54572

Š£ŃŠ·Š²ŠøŠ¼Š¾ŃŃ‚ŃŒ архиватора 7-Zip ŃŠ²ŃŠ·Š°Š½Š° с Š½Š°Ń€ŃƒŃˆŠµŠ½ŠøŠµŠ¼ механизма защиты Ганных Mark of the Web MOTW. Š­ŠŗŃŠæŠ»ŃƒŠ°Ń‚Š°Ń†ŠøŃ ŃƒŃŠ·Š²ŠøŠ¼Š¾ŃŃ‚Šø может ŠæŠ¾Š·Š²Š¾Š»ŠøŃ‚ŃŒ Š½Š°Ń€ŃƒŃˆŠøŃ‚ŠµŠ»ŃŽ обойти ŃŃƒŃ‰ŠµŃŃ‚Š²ŃƒŃŽŃ‰ŠøŠµ механизмы безопасности Šø ŠæŃ€Š¾Š²Š¾Š“ŠøŃ‚ŃŒ ŃŠæŃƒŃ„ŠøŠ½Š³-атаки...

2.1CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•16 views

PT-2026-51597

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.0.0 through 2.18.7 jackson-databind versions 2.19.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3 Description The JDKFromStringDeserializer function constructs InetSocketAddress using new...

5.3CVSS5.8AI score0.00219EPSS
Exploits0References33
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•14 views

PT-2026-51625

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Gitea affected versions not specified Description A stored DOM-based Cross-Site Scripting XSS issue exists where an attacker can store an HTML or JavaScript payload in a milestone name. When a user opens th...

4.8CVSS6AI score0.00483EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•13 views

PT-2026-51607

Name of the Vulnerable Software and Affected Versions Poweradmin versions prior to 4.2.4 Poweradmin versions prior to 4.3.3 Description Poweradmin is a web-based DNS administration tool for PowerDNS server. The software uses the attacker-controlled HTTP HOST request header as the authoritative...

9.6CVSS6AI score0.00312EPSS
Exploits0References14
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•10 views

PT-2026-53090

Name of the Vulnerable Software and Affected Versions Nmap versions 7.0.0 through 7.99 Description An issue exists in the ipv6 get data primitive function libnetutil/netutil.cc where the IPv6 extension-header walk is not kept within the captured packet. This causes the pointer to advance past the...

6.9CVSS6.6AI score0.00278EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•14 views

PT-2026-51547

Name of the Vulnerable Software and Affected Versions Language Servers for AWS versions prior to 1.65.0 Description Improper trust boundary enforcement in the Model Context Protocol MCP server configurations within Amazon Q Developer allows for arbitrary code execution. If a local user opens a...

8.5CVSS6.4AI score0.00118EPSS
Exploits0References26
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•10 views

PT-2026-51642

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An authorization bypass exists in the BulkAssetsController::update function. The system accepts the company id variable directly from user input without utilizing the standard company-scopin...

6.3CVSS5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•14 views

PT-2026-51532

NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channel...

5.4CVSS5.9AI score0.00171EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•4 views

PT-2026-55571

This update for sg3 utils fixes the following issues: - sg inq: --export output conformance for SCSI name string and ATA fields bsc1267823 - rescan-scsi-bus.sh: quote $id serial in findmultipath call bsc1268201...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•6 views

PT-2026-55435

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=526224351 Crash type: Heap-use-after-free READ 8 Crash state: Wt::Http::Request::parseFormUrlEncoded Wt::CgiParser::parse fuzz-cgi.C...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•4 views

PT-2026-55570

This update for sg3 utils fixes the following issues: - sg inq: --export output conformance for SCSI name string and ATA fields bsc1267823 - rescan-scsi-bus.sh: quote $id serial in findmultipath call bsc1268201...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•7 views

PT-2026-51646

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.1 Description In S3-backed deployments, the system fails to perform authorization checks before generating temporary URLs for signature image retrieval. Authenticated users who possess a signature filename can...

5.3CVSS5.9AI score0.00281EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•8 views

PT-2026-55574

This update for podman rebuilds it against the current go security release...

5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•10 views

PT-2026-51491

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution whe...

8.1CVSS6.5AI score0.00466EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•6 views

PT-2026-52874

Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing t...

5.3CVSS5.6AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•6 views

PT-2026-55562

This update for sg3 utils fixes the following issues: - sg inq: --export output conformance for SCSI name string and ATA fields bsc1267823 - rescan-scsi-bus.sh: quote $id serial in findmultipath call bsc1268201...

5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•57 views

PT-2026-51580

Name of the Vulnerable Software and Affected Versions @rtk-ai/rtk-rewrite version 1.0.0 Description The @rtk-ai/rtk-rewrite OpenClaw plugin fails to properly escape input passed to a shell-backed execSync function. While JSON.stringify is used to wrap values in double quotes, it does not neutrali...

6.3CVSS6.2AI score0.00288EPSS
Exploits1References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•20 views

PT-2026-51536

Name of the Vulnerable Software and Affected Versions Control Builder A versions prior to 1.4/4 800xA for Advant Master versions prior to 6.0.3-1 800xA for Advant Master versions prior to 6.1.1-1 800xA for Advant Master version 6.1.1-3 800xA for Advant Master version 6.2.0-1 Description An...

4.4CVSS5.8AI score0.00083EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•7 views

PT-2026-51487

Name of the Vulnerable Software and Affected Versions ADSelfService Plus versions prior to 6529 RecoveryManager Plus versions prior to 6321 M365 Manager Plus versions prior to 4817 ADAudit Plus versions prior to 8703 Description In ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and...

9CVSS5.9AI score0.01237EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51478

Name of the Vulnerable Software and Affected Versions Frontend File Manager Plugin versions prior to 23.7 Description Insufficient sanitization and escaping of filenames submitted to the frontend file-rename endpoint allows a Stored Cross-Site Scripting XSS issue. This occurs when the filename is...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•13 views

PT-2026-51576

Name of the Vulnerable Software and Affected Versions immich versions 4ffa26c9 through 4eb1003 Description A reflected cross-site scripting XSS issue exists on the '/auth/login' page. The continue query parameter is processed by SvelteKit's redirect function without proper scheme or origin...

9.6CVSS6AI score0.00235EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•18 views

PT-2026-51459

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An information disclosure issue exists in the Mirror Settings functionality, which allows authenticated users to import local repositories from the server filesystem. This occurs due to a lack o...

8.1CVSS5.8AI score0.00569EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•13 views

PT-2026-51529

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response...

7.1CVSS5.9AI score0.00213EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51515

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml load string without disabling external entity loading, enabling attackers to inject XXE payloa...

7.1CVSS6AI score0.00233EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•30 views

PT-2026-51499

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode each/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...

8.7CVSS5.9AI score0.00707EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•15 views

PT-2026-51470

Name of the Vulnerable Software and Affected Versions FAST/TOOLS versions R9.01 through R10.04 CI Server versions R1.01 through R1.04 Description The web server may return a response containing CI Server setting information, which could be exploited by an attacker to facilitate further attacks...

8.2CVSS5.8AI score0.00217EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51600

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.21.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3 Description In the BeanDeserializer. deserializeUsingPropertyBased function, the active-view @JsonView filter was applied only to creator properties,...

5.3CVSS5.7AI score0.00237EPSS
Exploits0References14
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•26 views

PT-2026-51579

🚨 CVE-2026-54320 Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates user...

8.4CVSS6.2AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•10 views

PT-2026-55519

Mumble is prone to an out-of-bounds array access, which may result in denial of service client crash...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•12 views

PT-2026-51632

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description The built-in Go SSH server in Gogs is subject to an unauthenticated, asymmetric Denial of Service DoS attack. The application accepts inbound TCP connections and passes them to the ssh.NewServerConn...

6.9CVSS5.9AI score0.00547EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51490

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.7 and earlier Description An authenticated user can change the account email address, which serves as the login identifier and password-recovery channel, via the account profile endpoint. This process occurs without...

8.7CVSS5.8AI score0.00296EPSS
Exploits1References8
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•12 views

PT-2026-51633

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Gogs contains an information disclosure issue where the 'GET /api/v1/orgs/:orgname/teams' endpoint returns all teams for any organization without requiring authentication. This occurs because the route...

6.9CVSS5.9AI score0.01553EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/23 12:0 a.m.•11 views

PT-2026-51503

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce hashed api keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•10 views

PT-2026-51441

Summary The ticket creation endpoint accepts a user-supplied service identifier without enforcing ownership validation, allowing authenticated users to create support tickets referencing services belonging to other accounts by modifying the service ID in the request. Technical Details The ticket...

5.4CVSS5.9AI score0.00042EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•11 views

PT-2026-51342

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

6.1CVSS5.5AI score0.00169EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•15 views

PT-2026-51438

Summary The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form post response mode. This may allow an attacker to inject content into the rendered page in the...

9.3CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•22 views

PT-2026-51433

Vulnerability Details CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official docker-compose.yml line 61 mounts the entire project root directory as the Apache document root: yaml volumes: - "./:/var/www/html/AVideo" This causes the .env file —...

7.5CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•26 views

PT-2026-51407

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A weak parsing issue exists in the x-limited-key-id header. Remote attackers can bypass subkey enforcement by submitting duplicate headers, zero, or malformed values that result in falsy values or N...

6.4CVSS5.9AI score0.00251EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•9 views

PT-2026-51435

OpenAM Open Identity Platform is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/realm/users. In IdentityResourceV1.queryCollection, the HTTP query parameter queryId is passed to a CrestQue...

8.7CVSS6AI score0.76385EPSS
Exploits5References5
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•13 views

PT-2026-51285

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device...

7.8CVSS5.7AI score0.00146EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•12 views

PT-2026-51335

Name of the Vulnerable Software and Affected Versions qSnapper versions prior to 1.3.3 Description Incorrect caching of authentication between different polkit PolicyKit, a component for controlling privileges in Unix-like operating systems methods allows a local attacker to perform unauthorized...

8.4CVSS5.8AI score0.00133EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•14 views

PT-2026-51311

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An authenticated site administrator can set the Kafka rdkafka config setting to an arbitrary filesystem path. The system parses the referenced INI file and passes its options to rdkafka. By usin...

9.3CVSS6.3AI score0.00342EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/06/22 12:0 a.m.•3 views

PT-2026-55281

This update for rpcbind fixes the following issues - Update to rpcbind 1.2.9 bsc1267212 https://lore.kernel.org/linux-nfs/[email protected]/ rpcinfo: stack buffer overflow in rpcinfo rpcbaddrlist rpcbind: Stop unauthenticated oversized allocation in PMAPPROC CALLIT...

6AI score
Exploits0References5
Total number of security vulnerabilities184508