Lucene search
K
PtsecurityRecent

184382 matches found

Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56803

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS. This issue affects OKRs & Goals: from 28220 before 28398...

5.4CVSS5.9AI score0.00133EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-56799

A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The...

6.5CVSS6.3AI score0.00237EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 3 days ago13 views

PT-2026-56796

An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data. This vulnerability was patched on 12 June 2026 on the Apigee Servers, and no customer action is...

5.9CVSS6AI score0.00188EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56802

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized listen uuid field that is...

6.9CVSS6.2AI score0.00463EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56797

A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control...

6.6AI score0.00571EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56805

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install...

8.4CVSS6.3AI score0.00127EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56810

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB ERROR message with error-code 25 KDC ERR PREAUTH REQUIRED containing a PA-DATA element with padata-type 2...

8.7CVSS6AI score0.00502EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56804

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application includes a debugging interface that is accessible through HTTP endpoints. This could allow an authenticated attacker to disrupt th...

7.1CVSS5.9AI score0.0024EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56809

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit t...

8.7CVSS6.2AI score0.00436EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56794

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed...

5.9AI score0.0038EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56783

A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit...

7.1CVSS6.2AI score0.00247EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56784

A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an...

7.5CVSS6.1AI score0.0031EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56800

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in PEAKUP Technology Inc. PassGate allows LDAP Injection. This issue affects PassGate: through 30042026...

8.2CVSS5.9AI score0.00213EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56793

Name of the Vulnerable Software and Affected Versions GNU LibreDWG versions prior to 0.14 Description A null pointer dereference occurs in the DWG File Handler component when the next obj argument is manipulated within the dwg next entity function located in the src/dwg.c file. This issue require...

4.8CVSS6AI score0.00118EPSS
Exploits0References18
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56842

Summary Note Mark validates book and note slug values with the OpenAPI/huma tag pattern:"a-z0-9-+". huma compiles this with regexp.MustCompiles.Pattern and tests it with patternRe.MatchStringstr, an UNANCHORED match. Because the pattern is not anchored ^...$, any string that merely CONTAINS one...

8.6CVSS6.5AI score0.00059EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56843

Summary GET /api/books/bookID/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped bypassing GORM's soft-delete scope but keeps the read-authorization clause as "owner id = ? OR is public = ?". A...

5.9CVSS6AI score0.00409EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56732

Name of the Vulnerable Software and Affected Versions Pinniped go.pinniped.dev versions 0.11.0 through 0.46.0 Description A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions. This occurs when the server is configured with an...

3.8CVSS6.1AI score0.0017EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56769

Impact: In body-parser versions prior to 1.20.6 1.x line and 2.3.0 2.x line, when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as thei...

3.7CVSS6AI score0.0025EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56731

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

6AI score0.00269EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56704

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4...

8.8CVSS7.3AI score0.00331EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56841

Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

7.5CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56837

Description: The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean method available in the...

6.5CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56839

Summary The CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile or Beautiful Soup's .select / .select one can cau...

7.5CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56836

Summary is global address in src/pyload/core/utils/web/check.py is the central guard against SSRF-style outbound connections in pyload-ng. It tests whether a given IP is "globally routable" via Python's ipaddress.ip addressvalue.is global, and callers treat not is global as "deny": python def is...

4.9CVSS6AI score0.00039EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56840

Summary The CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the VALUE regex pattern in css parser.py enters exponential...

7.5CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56852

Impact The argon2i 32 implementation does not check the nb blocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i 32 will write past the end of the buffer and possibly corrupt the heap. Patches Fixed in 4.0.2.8, which now verifies that nb...

5.1CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56694

A security vulnerability has been detected in tumf mcp-text-editor up to 1.0.2. This issue affects the function validate file path of the file mcp text editor/text editor.py. Such manipulation of the argument file path leads to path traversal. The attack can be launched remotely. The exploit has...

7.5CVSS6.2AI score0.00347EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56791

A vulnerability has been found in GNU LibreDWG up to 0.13.4. The affected element is the function dwg bmp of the file src/dwg.c of the component BMP Image Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the...

5.3CVSS5.7AI score0.00133EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56948

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56854

Summary The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an...

5.2CVSS6.2AI score0.00013EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57242

These are all security issues fixed in the rclone-1.74.4-1.1 package on the GA media of openSUSE Tumbleweed...

6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56960

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56951

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-57234

These are all security issues fixed in the rclone-1.74.4-1.1 package on the GA media of openSUSE Tumbleweed...

6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56942

Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...

9.9CVSS6AI score0.00541EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56763

HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS5.9AI score0.00248EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-56925

Name of the Vulnerable Software and Affected Versions Mercusys MW302R version MW302REU V1 1.4.10 Build 231023 Description A stack buffer overflow exists in the administrative web interface. This issue allows an authenticated attacker with administrative privileges to cause a system crash and a...

5.7CVSS6.2AI score0.00198EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56833

When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device...

6AI score0.0034EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56969

decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function index.js line 29 and the extraction path validation index.js line 106 use String.indexOf to verify the resolved path is within the output...

6AI score0.00272EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56923

Incorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictions and make arbitrary changes to port forwarding rules...

6AI score0.00448EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56968

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

6.1AI score0.00196EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56970

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...

6.1AI score0.00485EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56885

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS5.9AI score0.00265EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56829

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL MENTION RE and strip re regular expressions in backend/open webui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat messag...

6.5CVSS6AI score0.00319EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56872

MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without...

6AI score0.00372EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56724

A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An authenticated user with administrative privileges can inject malicious HTML tags into N2OS configuration data through multiple inpu...

5.9CVSS6AI score0.00142EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56764

HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. The application stores potentially sensitive information in log files that could be read by a local user...

6.2CVSS5.9AI score0.00141EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56871

Name of the Vulnerable Software and Affected Versions CPython affected versions not specified Description An issue exists in the incremental HTML parser html.parser.HTMLParser where improper input handling allows for CPU denial-of-service. When processing uncontrolled data containing repeated...

8.7CVSS6.1AI score0.00553EPSS
Exploits0References17
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-56992

An integer overflow in the jbig2 arith iaid ctx new function of Artifex commit cc37d0 allows attackers to cause a Denial of Service DoS via a crafted input...

6AI score0.00432EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-56828

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References4
Total number of security vulnerabilities184382