Lucene search
K
PtsecurityRecent

184925 matches found

Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50644

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.main.php, the file upload action 'a=upload' processes uploaded files without calling cot check xg to validate the anti-CSRF token, even though...

8.6CVSS5.4AI score0.00177EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50674

Name of the Vulnerable Software and Affected Versions Docker Sandboxes sbx affected versions not specified Description Docker Sandboxes sbx implements an egress allowlist restricted to HTTP/S traffic but fails to apply this restriction to DNS resolution. The embedded DNS server for each network...

5.7CVSS5.8AI score0.00103EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50627

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

4.9CVSS5.8AI score0.00355EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-53146

PraisonAI Slack app mention bypasses configured user/channel authorization Summary PraisonAI's Slack bot applies its configured allowed users, allowed channels, and unknown-user pairing policy in the normal Slack message event handler, but not in the adjacent Slack app mention event handler. A...

8.3CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53175

Unknown description...

5.8AI score0.00101EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53176

Summary When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path e.g. /etc/cron.d/evil or ../ traversal escaped the downloads directory, giving an...

9.6CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50656

claudiopizzillo PIAF-HMS PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5 contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters...

9.8CVSS5.8AI score0.00587EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.23 views

PT-2026-50770

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description An issue exists in the pusb is loginctl local function where a NULL dereference crash can occur when parsing loginctl output. The function utilizes popen to read results; if the Remote field contains...

5.5CVSS5.9AI score0.00113EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50815

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.0 through 9.15 Description An open redirect exists in the multi-factor authentication MFA flow. The MFA validate and register endpoints, specifically '/mfa/validate', process the user-supplied next query or form parameter...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50732

Impact A denial-of-service DoS vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in t...

4.8CVSS5.6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50812

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.9 through 9.15 Description In server mode, two state-mutating endpoints in the SQL Editor blueprint are missing the @pga login required authentication decorator, allowing them to be accessed without an authenticated sessio...

9.5CVSS6.5AI score0.0071EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50735

Name of the Vulnerable Software and Affected Versions http-proxy-middleware versions 3.0.4 through 3.0.6 http-proxy-middleware versions prior to 4.1.1 Description An issue exists in the fixRequestBody helper function when the outgoing Content-Type is set to multipart/form-data. The function uses...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50771

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description An infinite loop Denial of Service DoS occurs during the process-tree walk when a parent process exits during authentication. The function usb get process parent id fails to initialize the ppid...

4.7CVSS5.9AI score0.00104EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50686

Name of the Vulnerable Software and Affected Versions Eclipse 4diac FORTE versions 3.0.0 through 3.1.0 Description A specially crafted DELETE connection command sent to the management interface can cause a dangling pointer. This condition enables a use-after-free scenario, where subsequent comman...

9.8CVSS5.8AI score0.00304EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50693

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. StepThroughItemsBlock can be used to iterate ScreenshotWebPageBlock...

8.7CVSS5.3AI score0.00276EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50683

I got six CVEs in a major npm package including 4 RCEs. CVE-2026-54662, CVE-2026-54661, CVE-2026-54666, CVE-2026-54664, CVE-2026-54660, CVE-2026-54663 Full writeup with every sink and payload here: https://t.co/Pgwn5lgb9y infosec cybersecurity rce...

5.2AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.22 views

PT-2026-50804

Name of the Vulnerable Software and Affected Versions Chef 360 versions prior to 1.7.0 Description A static credential embedded in the software allows unauthenticated access to internal message queues. These queue messages contain tenant-specific identifiers. Recommendations Update to version 1.7...

5.1CVSS5.9AI score0.0017EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50673

UBB.threads is vulnerable to Denial of Service DoS. By sending multiple concurrent requests to view any user profile on instances with many registered users, an authenticated attacker can easily exhaust database resources and completely deny access to the application for other users. Because vend...

7.1CVSS5.3AI score0.00293EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50677

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agent id value into outgoing gRPC metadata. The server correct...

7.1CVSS5.3AI score0.00246EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.52 views

PT-2026-53154

The WhatsApp and Linear bot adapters verify the inbound webhook HMAC signature only when a secret is configured. When the secret environment variable is unset — the default on a fresh install and common in development — verification is skipped entirely and the webhook body is parsed and dispatche...

8.6CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.33 views

PT-2026-50661

Name of the Vulnerable Software and Affected Versions MCP Toolbox for Databases affected versions not specified Description An authenticated authorization bypass occurs due to missing scope enforcement in older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces...

8.6CVSS5.9AI score0.0015EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50779

Name of the Vulnerable Software and Affected Versions Coturn versions prior to 4.11.0 Description A stored cross-site scripting XSS issue exists in the web-admin HTTPS interface. An attacker can inject HTML or JavaScript by creating a TURN allocation with a crafted USERNAME value. This script...

5.4CVSS5.8AI score0.00141EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.31 views

PT-2026-50703

Name of the Vulnerable Software and Affected Versions U.S. GAO Electronic Protest Docketing System EPDS affected versions not specified U.S. CBCA Electronic Docketing System EDS affected versions not specified Description The U.S. Government Accountability Office GAO Electronic Protest Docketing...

9.8CVSS5.9AI score0.00427EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.16 views

PT-2026-50781

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description This software provides hardware authentication for Linux using removable media. A flaw exists where the getenv function allows environment variable injection into local-check logic via the XRDP...

6.3CVSS5.9AI score0.00127EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50821

Name of the Vulnerable Software and Affected Versions Apollo Pharmacy Blood Glucose Monitoring System APG-01 affected versions not specified Description An attacker within Bluetooth Low Energy BLE communication range can passively intercept wireless traffic to obtain sensitive health-related...

7.1CVSS5.9AI score0.00145EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50822

Name of the Vulnerable Software and Affected Versions Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT affected versions not specified Description An attacker within Bluetooth Low Energy BLE communication range can monopolize the only available BLE connection slot of the device. This...

7.1CVSS5.9AI score0.00222EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-54003

Name of the Vulnerable Software and Affected Versions pypdf versions prior to 6.13.3 Description A flaw in the library allows a maliciously crafted PDF to cause a Denial of Service DoS. This occurs when the system parses a content stream that lacks a /Length value, causing the MAX DECLARED STREAM...

6.9CVSS6AI score0.00206EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50784

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description A symlink race condition exists in the creation of per-device and per-user pad directories. The software employs a check-then-act pattern, where it calls lstat to verify existence and subsequently...

5.8CVSS5.9AI score0.00084EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50641

Name of the Vulnerable Software and Affected Versions Google Android affected versions not specified Description A missing permission check in the AndroidManifest.xml file allows for a persistent local denial of service. This issue can be triggered without requiring user interaction or additional...

10CVSS6AI score0.00138EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50719

Name of the Vulnerable Software and Affected Versions opentelemetry-collector-contrib sentryexporter affected versions not specified Description The Sentry exporter fails to validate the service.name resource attribute when constructing Sentry API URLs. Because this attribute is controlled by...

5.3CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50797

Name of the Vulnerable Software and Affected Versions Hashgraph Guardian versions prior to 3.5.0 commit ba8c566 Description A stored cross-site scripting issue exists where authenticated users with the STANDARD REGISTRY role can inject malicious scripts. This occurs by submitting a crafted...

4.8CVSS5.9AI score0.00177EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50694

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.63 Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. The AddAudioToVideoBlock function downloads and stores video and audio file...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50682

I got six CVEs in a major npm package including 4 RCEs. CVE-2026-54662, CVE-2026-54661, CVE-2026-54666, CVE-2026-54664, CVE-2026-54660, CVE-2026-54663 Full writeup with every sink and payload here: https://t.co/Pgwn5lgb9y infosec cybersecurity rce...

5.2AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50744

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.53 Description An authenticated administrator with backup permissions can download a ZIP archive containing the full installation root. This archive includes sensitive files such as user/accounts/admin.yaml, which...

6.8CVSS6AI score0.00174EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50740

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...

2.3CVSS6AI score0.00252EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50726

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Missing authorization in the content management system allows authenticated users to retrieve information for arbitrary published pages. By knowing or guessing page IDs or...

7.1CVSS6AI score0.00269EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50811

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 9.13 through 9.15 Description A read-only transaction bypass exists in the pgAdmin 4 AI Assistant, allowing an attacker who can influence database content read by the assistant to execute arbitrary SQL with the privileges of...

9.4CVSS6.8AI score0.00482EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50697

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 including earlier versions were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input...

5.9AI score0.01316EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50681

I got six CVEs in a major npm package including 4 RCEs. CVE-2026-54662, CVE-2026-54661, CVE-2026-54666, CVE-2026-54664, CVE-2026-54660, CVE-2026-54663 Full writeup with every sink and payload here: https://t.co/Pgwn5lgb9y infosec cybersecurity rce...

5.2AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50774

Name of the Vulnerable Software and Affected Versions AzeoTech DAQFactory versions prior to 21.2 Description A Type Confusion issue exists where an attacker can use specially crafted .ctl files to achieve arbitrary code execution. Type Confusion occurs when a program accesses a resource using a...

8.4CVSS6.1AI score0.00148EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50646

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pff title is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cot import is disabled, so an authenticated user can...

7.6CVSS5.2AI score0.00171EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53187

Summary The Docker API server accepted a request-supplied browser config.extra args, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command --utility-cmd-prefix, --renderer-cmd-prefix, --gpu-launcher,...

10CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50801

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.4 Description Missing authorization in the public API allows users to bypass role permission checks. The system only verifies a shared API key header via the hasValidToken function instead of validating individua...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.22 views

PT-2026-50669

uBB.threads is vulnerable to a Cross-Site Request Forgery CSRF due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version...

8.6CVSS5.2AI score0.00293EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.25 views

PT-2026-50676

Name of the Vulnerable Software and Affected Versions Docker Sandboxes affected versions not specified Description Docker Sandboxes sbx fail to re-apply the ICMP egress authorizer to networks rebuilt from disk after a Docker daemon restart. This allows a restart-surviving sandbox to forward ICMP...

5.7CVSS6AI score0.00097EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50685

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35...

8.5CVSS5.5AI score0.00211EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53120

Summary The SSE Server-Sent Events server in src/praisonai-agents/praisonaiagents/server/server.py exposes a /publish endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The ServerConfig dataclass line 24 defines an auth token field, but this token is...

4.3CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50650

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line...

5.1CVSS5.3AI score0.00138EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.26 views

PT-2026-50628

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

4.9CVSS5.8AI score0.00355EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-53180

Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls openssl...

6CVSS5.9AI score
Exploits0References4
Total number of security vulnerabilities184925