Lucene search
K
PtsecurityRecent

184951 matches found

Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50599

Name of the Vulnerable Software and Affected Versions org.hl7.fhir.dstu2 affected versions not specified Description An incomplete patch in the org.hl7.fhir.dstu2 module allows an unauthenticated attacker to cause a Regular Expression Denial of Service ReDoS. While other modules were updated to...

7.5CVSS5.9AI score0.00354EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.24 views

PT-2026-50608

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The rebuild.php front controller, used to clear caches and rebuild the container when a site is in an unexpected condition, fails to correctly validate the Host header against trusted hos...

5.2AI score0.00133EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50609

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The Media module supports oEmbed, which utilizes two discovery mechanisms: providers.json and URL discovery. The URL discovery code can be exploited to trick the system into making...

5.5AI score0.00133EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50610

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The JSON:API and REST modules allow image file uploads to image fields. The validation rules verify the file extension but fail to check the file MIME type Multipurpose Internet Mail...

4.8AI score0.0015EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50594

Name of the Vulnerable Software and Affected Versions Claude Code versions 0.2.54 through 2.1.162 Description The WebFetch tool pre-approved the hostname 'huggingface.co' as a bare hostname, allowing any path on that domain to be auto-approved without a permission prompt or restrictions from...

6CVSS5.9AI score0.00403EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50596

Name of the Vulnerable Software and Affected Versions langchain4j-mariadb versions prior to 1.2.1-beta8 langchain4j-mariadb versions prior to 1.5.1-beta11 langchain4j-mariadb versions prior to 1.11.8-beta19 langchain4j-mariadb versions prior to 1.16.3-beta26 langchain4j-pgvector versions prior to...

7.6CVSS6.2AI score0.00348EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50607

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description Drupal core contains a gadget chain, which is a sequence of existing code fragments that can be leveraged during the deserialization of untrusted data. While this issue is not directly...

6.6AI score0.00161EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50591

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An issue exists in the self-hosted artificial intelligence platform where collection-level Access Control List ACL checks can be bypassed when Milvus multitenancy mode is enabled. The ACL permits...

6.5CVSS5.9AI score0.00281EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50590

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The SafePlaywrightURLLoader uses a validate url function to prevent Server-Side Request Forgery SSRF by checking the IP address of a user-provided URL. However, this validation only occurs for the...

7.7CVSS5.9AI score0.00287EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50582

Name of the Vulnerable Software and Affected Versions Drupal Formatter Field versions 0.0.0 through 2.0.0 Description Improperly controlled modification of dynamically-determined object attributes in the Formatter Field module allows for Object Injection. This occurs because the module stores dat...

6.1AI score0.00173EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50612

Name of the Vulnerable Software and Affected Versions Drupal Plotly.js Graphing versions 0.0.0 through 3.0.2 Description Improperly controlled modification of dynamically-determined object attributes allows object injection. The module stores certain data as PHP-serialized strings, and if malicio...

6.1AI score0.00161EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50606

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description An attacker with appropriate JSON:API write permissions could potentially inject a malicious payload in certain rare circumstances, leading to PHP Object Injection. PHP Object Injection...

6AI score0.00161EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50600

Name of the Vulnerable Software and Affected Versions org.hl7.fhir.utilities versions 6.9.8 and earlier Description The org.hl7.fhir.utilities library contains an XML External Entity XXE injection flaw. The saxonTransform function overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl...

9.2CVSS6AI score0.00309EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50589

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The terminal-server reverse proxy in backend/open webui/routers/terminals.py fails to properly confine the user-controlled path segment before forwarding it to an admin-configured terminal server...

7.7CVSS5.9AI score0.00349EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50561

Name of the Vulnerable Software and Affected Versions bbot affected versions not specified Description The docker pull module fails to validate the realm parameter received from a Docker registry's WWW-Authenticate response header when using it as the authentication endpoint. A man-in-the-middle...

3.1CVSS5.4AI score0.00167EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50499

Name of the Vulnerable Software and Affected Versions undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a...

3.7CVSS5.3AI score0.00248EPSS
Exploits0References117
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50487

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI contains an authorization flaw in its prompt version-history endpoints. While the system authorizes the prompt id provided in the URL, it fails to verify that the requested history...

6.4CVSS5.9AI score0.00169EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.13 views

PT-2026-50490

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.23.1rc0 Description Temperature validation gates use comparison operators that silently evaluate to False when encountering NaN Not a Number or positive Infinity due to Python's IEEE 754 float semantics. These values...

6.9CVSS5.9AI score0.00261EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.24 views

PT-2026-50472

Name of the Vulnerable Software and Affected Versions vLLM versions 0.5.5 through 0.23.1rc0 Description Integer truncation of tensor dimensions in GGUF dequantize kernels within csrc/quantization/gguf/gguf kernel.cu leads to partial tensor processing. The output tensor is allocated at full size...

7.5CVSS5.8AI score0.00281EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50469

picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the reduce trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable,...

7.1CVSS6.1AI score0.00434EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50448

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability...

6CVSS5.3AI score0.0019EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50481

Name of the Vulnerable Software and Affected Versions Open-webui affected versions not specified Description An authenticated user can access files belonging to other users by exploiting a lack of ownership verification in the image processing path. When the POST endpoint "/api/chat/completions"...

6.5CVSS5.9AI score0.00225EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50478

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authorization bypass exists in the calendar event update process. The endpoint '/api/v1/calendars/events/event id/update' validates that the user has write access to the calendar where the even...

4.3CVSS5.9AI score0.00179EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50479

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The chat message listener in the chat page's window message listener processes input:prompt and action:submit messages without enforcing same-origin restrictions. This allows an external site to s...

7.1CVSS5.8AI score0.00162EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50547

Today I received a public security credit for a vulnerability I responsibly disclosed: CVE-2026-54683 – Improper authorization in NL Portal The vulnerability allowed any authenticated portal user to download documents belonging to other users when they had access to a valid document identifier. A...

6.5CVSS5.2AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50517

Name of the Vulnerable Software and Affected Versions undici versions 7.23.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description The ProxyAgent in undici silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. This causes the target HTTPS...

7.4CVSS5.8AI score0.00476EPSS
Exploits0References65
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50505

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

6CVSS5.3AI score0.00212EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50330

Name of the Vulnerable Software and Affected Versions JetSmartFilters versions prior to 3.8.2 Description An unauthenticated SQL Injection allows an attacker to interfere with the queries that an application makes to its database. This occurs in the JetSmartFilters WordPress plugin. Recommendatio...

9.3CVSS6AI score0.00372EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50370

Cross-Site request forgery CSRF vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0...

4.3CVSS5.2AI score0.00127EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50304

Unauthenticated Local File Inclusion in Malmö = 2.2 versions...

8.1CVSS5.2AI score0.00338EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.27 views

PT-2026-50229

Name of the Vulnerable Software and Affected Versions Android versions prior to June 2026 Description A logic error in the setAllowedCarriers function within PhoneInterfaceManager.java allows for the disabling of carrier restrictions. This flaw can lead to local escalation of privilege without...

10CVSS5.4AI score0.00155EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50240

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

10CVSS5.9AI score0.00148EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50411

Unauthenticated Local File Inclusion in Kastell = 2.0 versions...

8.1CVSS5.2AI score0.00428EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50513

Name of the Vulnerable Software and Affected Versions undici versions 7.23.0 through 8.1.0 Description When using Socks5ProxyAgent, the software reuses a single connection pool across different origins without verifying if the pool's origin matches the requested origin. This leads to cross-origin...

8.8CVSS5.8AI score0.00358EPSS
Exploits0References68
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50525

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository Manager versions prior to 3.93.0 Description An authorization bypass exists in the proxy repository configuration. This issue allows a delegated repository administrator to disclose stored upstream proxy credentials...

5.9CVSS5.2AI score0.0026EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50197

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A heap buffer overflow occurs in WebRTC, which is a framework that enables real-time communication such as voice and video calls within web browsers. This issue allows a remote attacke...

9.6CVSS6.5AI score0.00601EPSS
Exploits0References41
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50489

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.23.1rc0 Description The '/v1/audio/transcriptions' endpoint limits the size of compressed uploads but fails to limit the size of the decoded PCM Pulse Code Modulation output. PCM is an uncompressed digital audio format...

6.5CVSS5.9AI score0.00243EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.30 views

PT-2026-50438

Name of the Vulnerable Software and Affected Versions NGINX Plus affected versions not specified NGINX Open Source affected versions not specified Description A flaw in the ngx http proxy v2 module and ngx http grpc module modules can be triggered when NGINX is configured to proxy HTTP/2 traffic...

9.2CVSS7.5AI score0.03459EPSS
Exploits1References86
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50566

Name of the Vulnerable Software and Affected Versions Steeltoe.Security.Authentication.CloudFoundryBase versions prior to 3.4.0 Steeltoe.Security.Authentication.JwtBearer versions prior to 4.2.0 Steeltoe.Security.Authentication.OpenIdConnect versions prior to 4.2.0 Description The JWT signing key...

5.9CVSS5.8AI score0.0029EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.15 views

PT-2026-50493

Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 Description A race condition in the file write path of the credential storage implementation allows the auth.json file,...

2.2CVSS5.7AI score0.00074EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50546

Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has...

6.5CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.25 views

PT-2026-50518

Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0 Description A DNS rebinding issue in WebSocket endpoints allows remote attackers to bypass Host and Origin validation. This occurs because FastAPI HTTP middleware does not execute for WebSocket upgrade...

8.7CVSS6AI score0.006EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.15 views

PT-2026-50655

It was discovered that Dolibarr incorrectly handled user-supplied database name values during installation. A remote attacker could possibly use this issue to execute arbitrary code...

9.8CVSS5.9AI score0.01701EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50598

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.1 Description Unauthenticated users with network access can upload unlimited amounts of data to the server, which can lead to disk space exhaustion and a resulting denial-of-service. Additionally, the server...

9.3CVSS5.8AI score0.00332EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50341

Unauthenticated Cross Site Scripting XSS in WPFunnels Pro = 2.9.4 versions...

7.1CVSS5.1AI score0.00186EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50205

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A use after free issue exists in the Tab Strip component. This occurs when a program continues to use a pointer after it has been freed, which can lead to heap corruption a memory...

8.8CVSS5.8AI score0.00601EPSS
Exploits0References42
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50373

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7...

4.3CVSS5.2AI score0.00208EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50276

Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot = 13.6.5 versions...

7.7CVSS5.2AI score0.0045EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50263

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue...

5.3AI score0.00312EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50309

Unauthenticated SQL Injection in Blocksy Companion Pro 2.1.29 versions...

9.3CVSS5.8AI score0.00372EPSS
Exploits0References1
Total number of security vulnerabilities184951