PT-2026-43106

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.14 through 1.6.16 Roundcube Webmail versions prior to 1.7.1 Description Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to Server-Side Request Forgery SSRF, where an attacker...

PT-2026-43116

A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this...

PT-2026-43122

Name of the Vulnerable Software and Affected Versions PuTTY versions 0.72 through 0.83 Description A double free issue exists in the RSA KEX Key Exchange, which is the process used by two parties to establish a shared secret key over an insecure channel. Recommendations Update to version 0.84...

PT-2026-43025

Name of the Vulnerable Software and Affected Versions Cargo versions prior to 1.96.0 Description Cargo incorrectly handled symbolic links symlinks—which are files that point to another file or directory—inside crate tarballs downloaded from third-party registries. This allows a malicious crate to...

PT-2026-42982

A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer name/category results in sql injection. The...

PT-2026-43121

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

PT-2026-43123

Name of the Vulnerable Software and Affected Versions PuTTY versions 0.77 through 0.83 Description The software uses a copy of the PuTTY icon to indicate trust for TELNET data. However, the trust status is not cleared between the proxy authentication phase and the main session, which may lead to...

PT-2026-43016

A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may ...

PT-2026-43217

Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Attackers can submit crafted payloads to the search.php endpoint to extract database information including username...

PT-2026-43030

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

PT-2026-43084

A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm logged in of the file student trans.php. Such manipulation of the argument FIRST NAME/Last Name/EMAIL leads to sql injection. It is...

PT-2026-43010

A security flaw has been discovered in Totolink A8000RU 7.1cu.643 b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The...

PT-2026-43003

A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The impacted element is the function formWlanMP of the file /goform/formWlanMP. The manipulation of the argument...

PT-2026-43117

A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engin...

PT-2026-43142

Name of the Vulnerable Software and Affected Versions Totolink CA750-PoE version 6.2c.510 Description An OS command injection issue exists in the Setting Handler component. A remote attacker can manipulate the webWlanIdx argument within the setWebWlanIdx function of the '/cgi-bin/cstecgi.cgi'...

PT-2026-43071

Name of the Vulnerable Software and Affected Versions hackney versions 0 through 4.0.0 Description Improper Neutralization of CRLF Sequences allows HTTP Request Splitting. The software fails to percent-encode carriage return r or line feed characters in the URL query component before constructing...

PT-2026-43089

A vulnerability was found in yashpokharna2555 StudentManagementSystem up to cb2f558ddf8d19396de0f92abf2d224d46a0a203. Affected by this issue is the function confirm logged in of the file /studentdel.php. The manipulation of the argument ID results in sql injection. The attack may be launched...

PT-2026-43154

Name of the Vulnerable Software and Affected Versions SePay Gateway versions prior to 1.1.21 Description A missing authorization issue in the SePay Gateway allows for the retrieval of embedded sensitive data. Recommendations Update to a version later than 1.1.20...

PT-2026-43230

Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Noteboo...

PT-2026-43128

Cross-Site Request Forgery CSRF vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0...

PT-2026-43119

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.0 through 2.1.0 Apache Shiro version 3.0.0-alpha-1 Description Default configurations cause the Shiro-native session manager and the Remember-Me manager to send JSESSIONID and rememberMe cookies without the 'Secure'...

PT-2026-43046

A vulnerability was determined in Totolink A8000RU 7.1cu.643 b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possibl...

PT-2026-43077

A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible...

PT-2026-43129

Cross-Site Request Forgery CSRF vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5...

PT-2026-43035

A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly...

PT-2026-43031

A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed ...

PT-2026-43050

A security vulnerability has been detected in Edimax EW-7438RPn 1.31. Affected is the function formRadius of the file /goform/formRadius. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly...

PT-2026-43232

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter type id, filter pid id, and filter search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL...

PT-2026-43100

A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The affected element is the function formLogout of the file /goform/formLogout. The manipulation of the argument submit-url leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has...

PT-2026-43223

mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query...

PT-2026-43103

A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student id results in improper authorization. The attack may be initiated remotely. The exploit has been made public...

PT-2026-43001

A security flaw has been discovered in Edimax BR-6675nD 1.12. Impacted is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been releas...

PT-2026-43021

Name of the Vulnerable Software and Affected Versions Acer Care Center affected versions not specified Description The ACCSvc service creates a Named Pipe with a weak Security Descriptor. This allows an authenticated local user to connect and send a specially crafted message of type 0x03 to the...

PT-2026-43047

A vulnerability was identified in Totolink A8000RU 7.1cu.643 b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed...

PT-2026-42991

A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly...

PT-2026-43153

Name of the Vulnerable Software and Affected Versions NanoCare versions prior to 1.2.2 Description A missing authorization issue in Linethemes NanoCare allows for the exploitation of incorrectly configured access control security levels, resulting in broken access control. Recommendations Update ...

PT-2026-43127

Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3...

PT-2026-43111

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.x through 1.6.15 Roundcube Webmail versions 1.7.x prior to 1.7 Description Insufficient HTML sanitization allows for Cascading Style Sheets CSS injection. This occurs when an SVG document contains an animate...

PT-2026-43039

A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The...

PT-2026-43146

Name of the Vulnerable Software and Affected Versions StoreApps Smart Manager versions prior to 8.85.0 Description Incorrect Privilege Assignment in StoreApps Smart Manager allows for Privilege Escalation, a condition where a user can gain higher levels of access or permissions than they are...

PT-2026-43002

A weakness has been identified in Edimax EW-7438RPn 1.31. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component Content-Type Handler. Executing a manipulation of the argument...

PT-2026-43036

A vulnerability was identified in code-projects Employee Management System 1.0. This impacts an unknown function of the file /changepassemp.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used...

PT-2026-43067

Name of the Vulnerable Software and Affected Versions benoitc hackney versions 3.1.1 through 4.0.0 Description A sensitive data exposure issue exists where the HTTP/3 redirect handler in src/hackney h3.erl passes original request headers to a redirect target without performing cross-origin checks...

PT-2026-43068

Name of the Vulnerable Software and Affected Versions hackney versions 0.10.0 through 4.0.0 Description Uncontrolled Resource Consumption in the SOCKS5 transport within src/hackney socks5.erl allows flooding. While the caller-supplied timeout is applied during the SOCKS5 negotiation phase, the...

PT-2026-43222

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles function.php with parameters like rol assign roles, rol approve users, a...

PT-2026-43014

A vulnerability was detected in Totolink A8000RU 7.1cu.643 b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of...

PT-2026-43066

Name of the Vulnerable Software and Affected Versions hackney versions 0.9.0 through 4.0.0 Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Response Splitting. The setcookie/3 function in src/hackney cookie.erl validates Name and Value arguments...

PT-2026-42990

A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the...

PT-2026-43221

Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Attackers can inject malicious payloads exceeding 4108 bytes into the Host, Time Out, Packet Size, Pause, or Loops fields to trigg...

PT-2026-43149

Name of the Vulnerable Software and Affected Versions Smart Coupons for WooCommerce versions prior to 2.3.0 Description A missing authorization issue in WebToffee Smart Coupons for WooCommerce allows for the exploitation of incorrectly configured access control security levels. This is a broken...