Lucene search
K
PtsecurityRecent

184899 matches found

Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53159

Root has patched GHSA-3875-8gcx-7v46 in the @rootio/n8n package for Root:npm. Multiple fixed versions available...

9.1CVSS5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53160

This update for rootlesskit rebuilds it against the current go security release...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53161

This update for rootlesskit rebuilds it against the current go security release...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53131

Summary The published npm package praisonai ships a TypeScript AgentOS HTTP server that defaults to host: "0.0.0.0" and registers sensitive agent routes without any authentication or authorization middleware. When a developer starts AgentOS, a network attacker who can reach the service can: - rea...

9.4CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.4 views

PT-2026-53138

Summary The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: text network-isolated No network access proxy blocked The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced...

7.6CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53132

Summary The email search tool in src/praisonai-agents/praisonaiagents/tools/email tools.py constructs IMAP SEARCH commands by interpolating LLM-controlled parameters from addr, subject, query directly into IMAP protocol strings using f-string formatting with double-quote delimiters. An attacker w...

8.1CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53184

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensing get product MCP tool in netlicensing-mcp interpolates a caller-controlled product number argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

9.6CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53188

Summary The Docker API server applied its SSRF destination check validate url destination on the non-streaming /crawl path but not on the streaming path. handle stream crawl request passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could cal...

8.6CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53182

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

9.3CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-51424

Уязвимость программного обеспечения выявления уязвимостей и ошибок PT Application Inspector связана с ошибками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации...

6.8CVSS5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53127

SpiderTools redirect-target SSRF protection bypass Summary SpiderTools.scrape page validates the initial URL and rejects direct loopback, private, link-local, metadata, and internal hostnames. It then calls requests.Session.get without disabling automatic redirects or validating redirect Location...

6.5CVSS6.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50649

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible...

6.4CVSS5.5AI score0.00205EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.31 views

PT-2026-50696

Name of the Vulnerable Software and Affected Versions Grav version 2.0.0-rc.9 with Admin2 version 2.0.0-rc.14 Description A stored cross-site scripting XSS issue exists in the Admin2 Pages API save flow due to a missing XSS safety check during partial validation. Stored XSS occurs when an...

5.1CVSS5.8AI score0.00299EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-54524

Уязвимость облачной службы корпоративной почты Microsoft Exchange Online связана с отсутствием авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии...

9.6CVSS7.3AI score0.00389EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50861

These are all security issues fixed in the lemon-3.53.2-2.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.26 views

PT-2026-50794

Name of the Vulnerable Software and Affected Versions conda-smithy versions prior to 3.61.0 Description conda-smithy is a tool that combines a conda recipe with configurations to build using freely hosted CI services into a single repository. A flaw in the conda-forge automated webservices allows...

7.6CVSS5.8AI score0.00201EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53126

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...

8.8CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50643

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cot auth add group without calling cot check xg to valida...

9.6CVSS5.8AI score0.00227EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50645

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cot check x...

5.4CVSS5.3AI score0.00116EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.11 views

PT-2026-53185

Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...

9.1CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.26 views

PT-2026-50626

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.5AI score0.00212EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50729

Component: tract-nnef nnef/src/tensors.rs::read tensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...

6.1CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50710

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting XSS vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter next, which is...

8.8CVSS5.5AI score0.00189EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50692

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, AutoGPT's LoopVideoBLock allows users to input a video file and process the video, such as looping it 5 times or extending the time, and finally writing it t...

8.7CVSS5.3AI score0.00343EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-54544

Уязвимость платформы для управления и защиты идентификационных данных Azure Active Directory связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии...

10CVSS7.3AI score0.00562EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53137

PraisonAI Code agent tools fail open without a workspace boundary Summary PraisonAI Code's agent-compatible CODE TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE TOOLS, code read file, code search replace, or code apply diff before calling set workspace...

7.3CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53155

Root has patched GHSA-fw8g-cg8f-9j28 in the rootio-github.com/prometheus/prometheus package for Root:Go. Multiple fixed versions available...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53157

Root has patched AIKIDO-2026-11158 in the io.root.org.springframework:spring-core package for Root:Maven. Multiple fixed versions available...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53129

DiscordApproval accepts unrelated channel messages as dangerous-tool approvals Summary praisonai.bots.DiscordApproval approves a pending dangerous tool call when it sees any later non-bot message in the configured Discord channel whose text is classified as approval, such as yes. The decision is...

8.8CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-50663

An SQL Injection vulnerability exists in LMS LAN Management System before commit 4cb30a7 within the "tarifflist.php" module due to insufficient sanitization of the POST "tg" parameter. The application directly concatenates user-supplied array values into an SQL query using "implode", allowing...

8.6CVSS5.9AI score0.00216EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50789

Name of the Vulnerable Software and Affected Versions OneDev versions prior to 15.0.7 Description An arbitrary file write issue exists due to symlink path traversal. The TarUtils.untar function creates symbolic links using the getLinkName TAR entry without validating if the target is an absolute...

8.3CVSS6AI score0.00382EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50675

Name of the Vulnerable Software and Affected Versions Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1 V1.0.6.020230803 Description A broken authorization boundary in the RTSP Real Time Streaming Protocol, a network control protocol for delivering audio and video med...

6CVSS5.8AI score0.00154EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50660

Name of the Vulnerable Software and Affected Versions googleapis/mcp-toolbox affected versions not specified Description An authentication bypass exists in the generic opaque token validation path validateOpaqueToken. When validating an opaque token via an OAuth 2.0 introspection endpoint, the...

9.3CVSS5.8AI score0.00204EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50621

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'rule id' parameter due to missing validation on a user controlled key. This makes it possible for...

4.3CVSS5.1AI score0.0026EPSS
Exploits0References16
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.23 views

PT-2026-50658

Name of the Vulnerable Software and Affected Versions ibaPDA affected versions not specified ibaDatCoordinator affected versions not specified Description Remote, unauthenticated attackers can exploit a deserialization of untrusted data issue to achieve remote code execution, potentially gaining...

9.8CVSS6.4AI score0.00553EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.16 views

PT-2026-50635

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull the trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can ...

7.2CVSS5.4AI score0.00231EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.22 views

PT-2026-50657

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2...

5.9CVSS5.2AI score0.00143EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.36 views

PT-2026-50640

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. Thi...

6.1CVSS5.4AI score0.00211EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50816

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 1.0 through 9.15 Description An issue exists in the named restore point endpoint 'POST /browser/server/restore point/gid/sid' where the user-supplied value field is interpolated directly into the SQL string using str.format...

5.3CVSS5.9AI score0.00245EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50636

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

6.4CVSS5.4AI score0.00202EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50858

These are all security issues fixed in the inspektor-gadget-0.53.2-1.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS5.9AI score0.0056EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53143

Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agent file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. Details The agent file field in...

7.5CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50701

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 including earlier versions were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device...

5.8AI score0.00329EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53128

Summary PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes allow dangerous tools=True. That policy only checks tools declared in TEMPLATE.yaml requires.tools. For steps-based recipes, the actual execution path...

7.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50665

A Reflected Cross-Site Scripting XSS vulnerability exists in LMS LAN Management System before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an...

8.6CVSS5.3AI score0.00318EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.4 views

PT-2026-53119

Summary The MentionsParser in src/praisonai-agents/praisonaiagents/tools/mentions.py processes @file: mentions in agent prompts by reading arbitrary files from the filesystem. When a file path is not found relative to the workspace, the parser falls back to using the path as an absolute path...

7.5CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53181

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

8.7CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.4 views

PT-2026-53116

PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal Summary PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing: - artifact storage for tool...

7.5CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-50862

These are all security issues fixed in the tinyproxy-1.11.3-3.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-53141

On case-insensitive filesystems macOS, Windows, PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/node modules restriction while the OS opened the real file. On...

6.9CVSS5.8AI score
Exploits0References3
Total number of security vulnerabilities184899