PT-2026-42455

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue in the accel/ivpu component allows the re-exporting of imported GEM Graphics Execution Manager objects. This occurs because the system fails to verify if a buffer is imported...

PT-2026-42460

Name of the Vulnerable Software and Affected Versions Divi Form Builder versions prior to 5.1.3 Description The Divi Form Builder plugin for WordPress allows unauthenticated attackers to create administrator accounts. This occurs because the plugin accepts a user-controlled role parameter from PO...

PT-2026-42459

Name of the Vulnerable Software and Affected Versions Apache Camel K versions 2.0.0 through 2.8.0 Apache Camel K versions 2.9.0 through 2.9.1 Apache Camel K versions 2.10.0 Description Authorized users in a Kubernetes namespace can create a Build resource to control Pod generation in a namespace ...

PT-2026-42454

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free issue exists in the udlfb component of the fbdev subsystem. The dlfb ops mmap function uses remap pfn range to map vmalloc framebuffer pages to userspace without setting...

PT-2026-42452

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the t7xx port enum msg handler function where the modem-supplied port count field is used as a loop bound over port msg-data without verifying if the message buffer...

PT-2026-42453

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A kernel panic can occur in the Linux kernel when a Random Early Detection RED queueing discipline qdisc has children, such as a Fair Queueing FQ qdisc, whose peek callback is qdisc peek...

PT-2026-42450

Name of the Vulnerable Software and Affected Versions CODESYS Visualization affected versions not specified Description Insufficient isolation of authentication data may cause the remote exposure of credentials between low privileged visualization users during concurrent login operations. This...

PT-2026-42458

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Reliable Delivery Service RDS implementation where zerocopy send operations can fail after user pages are pinned but before the message is attached to the sending...

PT-2026-42445

Incorrect Behaviour of Views with TCP PROXY Requests...

PT-2026-42449

Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail...

PT-2026-42448

Concurrency and locking defects in GSS-TSIG...

PT-2026-42444

Name of the Vulnerable Software and Affected Versions MediaArea MediaInfoLib affected versions not specified Description A heap-based buffer overflow occurs during the parsing of LXF elements. A heap-based buffer overflow is a memory corruption issue that happens when an application writes more...

PT-2026-42447

Name of the Vulnerable Software and Affected Versions PowerDNS affected versions not specified Description Insufficient validation of Autoprimary SOA queries can lead to server crashes, GSS-TSIG memory corruption, and view data leaks. GSS-TSIG is a mechanism used to secure DNS communications usin...

PT-2026-42446

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Insufficient validation of names occurs during AXFR Asynchronous Full Transfer, a mechanism used by DNS servers to replicate zone data from a primary server to a...

PT-2026-42461

Name of the Vulnerable Software and Affected Versions Request Tracker versions 5.0.4 through 5.0.9 Request Tracker versions 6.0.0 through 6.0.2 Description Reflected cross-site scripting XSS occurs via the Page parameter in GET requests. This allows an attacker to craft a URL that executes...

PT-2026-42474

Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation TEİAŞ Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13...

PT-2026-42464

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency...

PT-2026-42475

Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation TEİAŞ Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13...

PT-2026-42463

Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any w...

PT-2026-42476

Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check template.cpp, check template function, tokenize cleanup function,...

PT-2026-42466

Name of the Vulnerable Software and Affected Versions Apex One/SEP agent affected versions not specified Description An origin validation issue in the agent could allow a local attacker to escalate privileges on affected installations. To exploit this, an attacker must first have the ability to...

PT-2026-42472

Name of the Vulnerable Software and Affected Versions Apex One/SEP agent affected versions not specified Description A time-of-check time-of-use TOCTOU issue exists in the agent, which occurs when a program checks a condition such as a file's existence or permissions and then uses the result of...

PT-2026-42462

Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this...

PT-2026-42465

Name of the Vulnerable Software and Affected Versions Apex One on-premise versions prior to SP1 Build 18012 Apex One new installs versions prior to 17079 Apex One SaaS agent versions prior to 14.0.20731 Description A directory traversal issue in the on-premise management server allows an attacker...

PT-2026-42467

Name of the Vulnerable Software and Affected Versions Trend Micro Apex One/SEP agent affected versions not specified Description An origin validation error in the agent's named pipe communication mechanism allows a local attacker to escalate privileges. To exploit this issue, the attacker must...

PT-2026-42469

Name of the Vulnerable Software and Affected Versions Apex One/SEP agent affected versions not specified Description An origin validation error in the process protection mechanism allows a local attacker to escalate privileges. To exploit this issue, the attacker must first have the ability to...

PT-2026-42468

Name of the Vulnerable Software and Affected Versions Trend Micro TrendAI Apex One affected versions not specified TrendAI Apex One as a Service affected versions not specified Description An origin validation issue in the Apex One/SEP agent allows a local attacker to escalate privileges. This fl...

PT-2026-42473

Name of the Vulnerable Software and Affected Versions gdk-pixbuf-loader-libheif versions prior to 1.22.2-1.1 Description An integer underflow leads to an out-of-bounds OOB memory access. This issue was discovered using AI-assisted fuzzing, a technique that uses artificial intelligence to...

PT-2026-42478

Name of the Vulnerable Software and Affected Versions ConnectWise Automate versions prior to 2026.5 Description The ConnectWise Automate Agent fails to fully verify the authenticity of components obtained during plugin loading and self-update operations. This lack of integrity checks during the...

PT-2026-42477

Name of the Vulnerable Software and Affected Versions WP Directory Kit versions prior to 1.5.1 Description WP Directory Kit contains a Blind SQL Injection flaw, which occurs when special elements used in an SQL command are not properly neutralized. This allows an unauthenticated attacker to execu...

PT-2026-42479

Name of the Vulnerable Software and Affected Versions Apache Fory versions prior to 1.0.0 Description Deserialization of untrusted data in Apache Fory PyFory occurs because the ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and...

PT-2026-42480

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket id POST parameter directly into an HTML form input value attribute. Attackers ca...

PT-2026-42527

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile login.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile RouteMate login flow. A...

PT-2026-42521

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

PT-2026-42525

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions...

PT-2026-42531

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage...

PT-2026-42524

Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker...

PT-2026-42522

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

PT-2026-42523

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

PT-2026-42503

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the type POST parameter directly into an HTML form hidden input value attribute. Attacker...

PT-2026-42506

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers...

PT-2026-42526

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the login/authentication flow. An attacker...

PT-2026-42511

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, ...

PT-2026-42495

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters module choice, flag, confirmation directly into...

PT-2026-42491

Name of the Vulnerable Software and Affected Versions VillaTheme HAPPY versions prior to 1.0.11 Description A missing authorization issue in VillaTheme HAPPY allows for the exploitation of incorrectly configured access control security levels. Recommendations Update to version 1.0.11 or later...

PT-2026-42514

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db loader.php where the multiple POST parameters ticketsdb, ticketshost, ticketsuser, ticketspassword are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database witho...

PT-2026-42519

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

PT-2026-42505

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers ca...

PT-2026-42509

Name of the Vulnerable Software and Affected Versions Open ISES Tickets versions prior to 3.44.2 Description An issue exists in the 'tables.php' endpoint where multiple POST parameters, specifically tablename, indexname, and sortby, are concatenated into table or column identifiers within...

PT-2026-42517

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query...