PT-2026-42361

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL...

PT-2026-42364

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabilit...

PT-2026-42378

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/subId crashes the BSF process via concurrent map read/write on Subscriptions in github.com/free5gc/bsf...

PT-2026-42379

free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers in github.com/free5gc/smf...

PT-2026-42382

Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in ParameterAnalysis server mode in github.com/hahwul/dalfox...

PT-2026-42398

Name of the Vulnerable Software and Affected Versions FreeBSD versions 14.x Description A stack buffer overflow exists in the setcred2 system call. The issue occurs because a user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer before the privilege level of t...

PT-2026-42173

Name of the Vulnerable Software and Affected Versions Twig affected versions not specified Description The Compiler::string function fails to escape single quotes when generating PHP double-quoted string literals. In ModuleNode::compileConstructor, template names from a % use % tag are processed...

PT-2026-42854

Уязвимость системы автоматизированного тестирования на проникновение связана с непринятием мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольные команды на сервере...

PT-2026-42853

Уязвимость системы автоматизированного тестирования на проникновение связана с непринятием мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольные команды на сервере...

PT-2026-42868

CVE-2026-8399 - Apache Struts Remote Code Execution Vulnerability CVE ID :CVE-2026-8399 Published : May 20, 2026, 11:16 p.m. | 16 minutes ago Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Severity: 0.0 | NA Visit the link for more details...

PT-2026-42267

Name of the Vulnerable Software and Affected Versions HP Linux Imaging and Printing Software affected versions not specified Description An OS command injection flaw exists in the HP Linux Imaging and Printing Software. This issue may allow an attacker to achieve escalation of privileges and/or...

PT-2026-42266

Name of the Vulnerable Software and Affected Versions HP Linux Imaging and Printing Software versions prior to 3.26.4 Description An integer overflow exists in the hpcups processing path when handling crafted print data. This flaw allows unauthenticated attackers to bypass memory limits,...

PT-2026-42104

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .ph...

PT-2026-42224

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop v0.101.3 allows full authentication bypass when running in an Electron environment. When Trilium detects an...

PT-2026-42273

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions 2026.2.0-rc1 through 2026.2.2 Description An authentication bypass exists due to SAML NameID XML Comment Injection. The software incorrectly extracts the NameID value from a SAML...

PT-2026-42109

Name of the Vulnerable Software and Affected Versions memcached versions prior to 1.6.42 Description Username data for SASL password database authentication contains a timing side channel. This occurs because the sasl server userdb checkpass function utilizes a loop that terminates immediately up...

PT-2026-42060

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the import demo function accepting a user-supplied URL in the demo json file POST parameter and...

PT-2026-42058

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliver pos rest authentication...

PT-2026-42110

Name of the Vulnerable Software and Affected Versions memcached versions prior to 1.6.42 Description Password data for SASL password database authentication contains a timing side channel. This occurs because the sasl server userdb checkpass function utilizes memcmp, which can allow an attacker t...

PT-2026-42262

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

PT-2026-42131

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions 1.14.0 through 1.25.0 Description A heap overflow occurs when encoding multiple NSID, DNS Cookie EDNS, and EDNS Padding options in a reply packet. This happens because a flaw in the size calculation of the EDNS fiel...

PT-2026-42092

Name of the Vulnerable Software and Affected Versions NVIDIA Triton Inference Server versions prior to r26.03 Description An authentication bypass exists in the server that could allow an attacker to gain unauthorized access. Successful exploitation may result in code execution, escalation of...

PT-2026-42091

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure...

PT-2026-42222

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulti...

PT-2026-42217

NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering...

PT-2026-42221

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This...

PT-2026-42193

Name of the Vulnerable Software and Affected Versions Cisco Secure Workload versions prior to 3.10.8.3 Cisco Secure Workload versions prior to 4.0.3.17 Description Insufficient validation and authentication in the internal REST API endpoints of Cisco Secure Workload allow an unauthenticated, remo...

PT-2026-42263

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attacker...

PT-2026-42223

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 16.10.17 XWiki Platform versions prior to 17.4.9 XWiki Platform versions prior to 17.10.3 XWiki Platform versions prior to 18.1.0-rc-1 Description The 'POST /wikis/wikiName' API executes a XAR import without...

PT-2026-42228

Name of the Vulnerable Software and Affected Versions Drupal core versions 8.9.0 through 10.4.9 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0...

PT-2026-42189

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid...

PT-2026-42128

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description An issue exists related to the parsing of long lists of incoming EDNS Extension Mechanisms for DNS options. An adversary can send queries containing an excessive number of EDNS options,...

PT-2026-42129

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description An issue exists in the jostle logic that can degrade resolution performance. When the num-queries-per-thread limit is reached, the jostle logic identifies slow-resolving queries for...

PT-2026-42133

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description An issue exists where promiscuous RRSets Resource Record Sets that complement DNS replies in the authority section can be used to trick the system into caching unauthorized records. An...

PT-2026-42368

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution in github.com/rclone/rclone. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this ...

PT-2026-42124

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions 1.6.2 through 1.25.0 Description A denial of service issue exists when the software is compiled with DNSCrypt support using the --enable-dnscrypt flag. A specially crafted DNSCrypt query, where the decrypted plainte...

PT-2026-42127

Name of the Vulnerable Software and Affected Versions Unbound versions 1.16.2 through 1.25.0 Description An issue exists within the ghost domain names family of attacks that allows an adversary who controls a ghost zone and can query the system to extend the ghost domain window by up to one cache...

PT-2026-42125

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions 1.19.1 through 1.25.0 Description A flaw in the DNSSEC validator allows for denial of service and potential remote code execution. The issue occurs during the deep copying of a data structure when DS sub-queries...

PT-2026-42132

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description A denial of service issue exists in the DNSSEC validator. When constructing chase-reply messages for validation, the software uses an incorrect counter to calculate write offsets for...

PT-2026-42130

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description A flaw in the DNSSEC validator occurs when the code path used to consult the negative cache for DS records ignores the limit on NSEC3 hash calculations. An attacker controlling a DNSSEC...

PT-2026-42134

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1 Description An issue exists when handling replies with very large RRsets Resource Record sets that require name compression. Malicious upstream responses containing very large RRsets with records tha...

PT-2026-42162

Name of the Vulnerable Software and Affected Versions Microsoft Defender affected versions not specified Description A heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network. A heap-based buffer overflow occurs when an application writes mo...

PT-2026-42182

Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies...

PT-2026-42177

Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.4.0 through 1.0.x Description An authorization bypass occurs due to user-controlled keys, allowing cross-session PubSub topic injection via a URL query parameter. The function handle params/3 in...

PT-2026-42120

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2 Description An authorization bypass exists in the SCIM router within packages/worker/src/api/routes/global/scim.ts. The router only utilizes the requireSCIM and doInScimContext middlewares, failing to implemen...

PT-2026-42181

Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7...

PT-2026-42184

Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service JetDirect on TCP port 9100...

PT-2026-41949

Name of the Vulnerable Software and Affected Versions Panabit PAP-XM320 versions prior to 7.8 Description A command injection issue exists in the web management interface, which invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper uses the eval...

PT-2026-41758

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.1.4 Discourse versions prior to 2026.3.1 Discourse versions prior to 2026.4.1 Discourse versions prior to 2026.5.0-latest.1 Description Outdated cached AI summaries can leak removed content to anonymous and...

PT-2026-41764

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.1.4 Discourse versions prior to 2026.3.1 Discourse versions prior to 2026.4.1 Discourse versions prior to 2026.5.0-latest.1 Description An authenticated user on an instance with the form templates feature enabl...