Lucene search
K
PtsecurityRecent

184382 matches found

Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56896

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...

7.5CVSS5.9AI score0.00336EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56900

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...

5.3CVSS5.8AI score0.00257EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56902

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns ...

9.9CVSS6.2AI score0.00447EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56897

Name of the Vulnerable Software and Affected Versions Hoppscotch versions prior to 2026.6.0 Description The updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER SMTP URL value. Additionally, the validateSMTPUrl function in utils.ts permits path,...

7.2CVSS6.3AI score0.00518EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56898

Name of the Vulnerable Software and Affected Versions Ruflo versions prior to 3.16.3 Description The default docker-compose deployment exposes the MCP bridge endpoints 'POST /mcp' and 'POST /mcp/:group' without authentication. This allows an unauthenticated network attacker to invoke the terminal...

10CVSS6.1AI score0.00442EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56985

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine PFE of Juniper Networks Junos OS on MX Series allows adjacent subscribers to bypass configured firewall filters. On MX Series devices with MPC10/11, LC4800/9600, and MX304 with subscribers...

5.3CVSS6AI score0.00238EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56986

An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine pfe of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service DoS. If an attempt is made to subscribe to an unsupported telemetry...

7.1CVSS5.9AI score0.00411EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56987

A Use of Incorrectly-Resolved Name or Reference vulnerability in the URL filtering plugin of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass web filtering and access downstream resources that should be unreachable. If an MX Series device is...

6.9CVSS6AI score0.00347EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-56999

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description Insufficient SVG sanitization during the handling of uploads and user avatars can...

5.4CVSS6AI score0.00264EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-57000

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description A stored cross-site scripting issue exists where a malicious second factor name on ...

7.3CVSS6.2AI score0.00392EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56998

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish...

6.5CVSS6AI score0.00221EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56978

A Use of Multiple Resources with Duplicate Identifier vulnerability in the IKE daemon iked of Juniper Networks Junos OS on MX with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service DoS. On an MX with SPC3 and SRX devices configured for VPN service,...

6.9CVSS5.9AI score0.00417EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-56975

Name of the Vulnerable Software and Affected Versions Junos OS on SRX Series versions prior to 23.2R2-S7 Junos OS on SRX Series versions prior to 23.4R2-S8 Junos OS on SRX Series versions prior to 24.2R2-S4 Junos OS on SRX Series versions prior to 24.4R2-S4 Junos OS on SRX Series versions prior t...

6.9CVSS6.2AI score0.00474EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56984

A Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in the packet forwarding engine PFE of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service DoS. As part of the stateful...

8.2CVSS6AI score0.00381EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56980

Name of the Vulnerable Software and Affected Versions Junos OS on MX Series with SPC3 and SRX Series versions prior to 23.2R2-S7 Junos OS on MX Series with SPC3 and SRX Series versions 23.4 prior to 23.4R2-S8 Junos OS on MX Series with SPC3 and SRX Series versions 24.2 prior to 24.2R2-S5 Junos OS...

8.7CVSS6.1AI score0.00461EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56981

A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine pfe of Juniper Networks Junos OS on specific EX Series devices allows an unauthenticated adjacent attacker to cause a Denial-of-Service DoS.When sFlow is configured in a Virtual Chassis VC scenario...

7.1CVSS6.1AI score0.00269EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56903

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0...

8.6CVSS6.2AI score0.0084EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56904

The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-56818

An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing group id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly...

5.3CVSS6AI score0.00244EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56806

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application ships with a default configuration that disables all OPC UA security mechanisms. This could allow an attacker to gain unauthorized...

6.3CVSS5.9AI score0.00146EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56882

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get event call delivered execute:python and execute:tool Socket.IO events to a client-supplied session id after checking only that the session was connected, allowing authenticated users who...

7.7CVSS6AI score0.00276EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-57009

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description An unauthenticated publish visitor can perform a UNION SELECT injection via the block search endpoint 'POST /api/search/fullTextSearchBlock'. The issue occurs because the endpoint concatenates...

7.5CVSS6.1AI score0.0038EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-57004

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description Post revisions intended to be hidden from regular users may be leaked through visib...

5.3CVSS6.1AI score0.00314EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-57011

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description An authenticated administrator or API-token user can exfiltrate sensitive files from the host system. The 'POST /api/file/globalCopyFiles' endpoint accepts absolute source paths and uses the...

4.9CVSS6.1AI score0.00278EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-57012

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description In the Asset.render function within app/src/asset/index.ts, the unsanitized this.path variable is interpolated into HTML assigned to innerHTML. A crafted asset link containing a double quote can break...

8.6CVSS6.2AI score0.00305EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56996

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5...

6.5CVSS5.9AI score0.00366EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56901

Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2...

9.1CVSS6.2AI score0.00391EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56700

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner identified by email address to read, reply to, and close that person's support tickets...

6AI score0.00193EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56702

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back...

5.9AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56703

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users the gating nonce is exposed on public pages carrying an embed to make the site request...

5.8AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56698

The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via...

6AI score0.00256EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56701

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or...

5.9AI score0.00179EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56699

The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...

6AI score0.00193EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56811

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg tls server recv hello, which uses an attacker-controlled session id len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote,...

8.7CVSS6.2AI score0.00441EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-56821

A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 firmware V31.1.9.91 allows an unauthenticated remote attacker to cause a denial of service via a crafted PLAY request...

6.3AI score0.0041EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57243

These are all security issues fixed in the rclone-1.74.4-1.1 package on the GA media of openSUSE Tumbleweed...

6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56921

Name of the Vulnerable Software and Affected Versions OpenPLC Runtime version 3 Description An authenticated arbitrary file write exists in the legacy web UI program-upload workflow. The application stores an attacker-supplied filename prog file into the Programs.File database field and uses this...

9.9CVSS6.5AI score0.00616EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56697

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update user function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56939

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56881

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parent id to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose...

3.1CVSS5.9AI score0.00257EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-56944

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56770

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new event type background color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it...

7.2CVSS6.1AI score0.00247EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56977

An Improper Validation of Specified Quantity in Input vulnerability in the TCP proxy plugin of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated, network-based attacker to cause a complete Denial of Service DoS. When TCP proxy is engaged in a flow session,...

8.7CVSS6AI score0.00461EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56891

A vulnerability was detected in TOTOLINK X5000R 9.1.0cu.2415 B20250515/9.1.0cu.2350 B20230313. Affected by this vulnerability is the function exportOvpn of the file /web/cgi-bin/cstecgi.cgi of the component OpenVPN Export. The manipulation results in path traversal. The attack may be launched...

6.9CVSS6AI score0.00488EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-57022

Impact What kind of vulnerability is it? Who is impacted? A verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or...

5.9CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56982

An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause license exhaustion. Due to an incorrect initialization, a process which should only be able to communicate internall...

7.3CVSS5.9AI score0.00301EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56928

An Unchecked Input for Loop Condition vulnerability in the Packet Forwarding Engine pfe of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service DoS.Micro-BFD session flaps generate respective up/down events which are queued by PFEMAN for...

7.1CVSS5.9AI score0.00269EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57342

Name of the Vulnerable Software and Affected Versions RoundCube versions prior to 1.7 Description A stored cross-site scripting XSS flaw exists where an unescaped attachment MIME type is displayed on the attachment-validation warning page. An attacker can craft a malicious MIME type string that,...

6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56798

A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub read idx of the file /src/media tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has be...

4.8CVSS5.4AI score0.00112EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56807

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the we...

8.6CVSS5.9AI score0.0034EPSS
Exploits0References1
Total number of security vulnerabilities184382