PT-2026-41551

Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete export file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename...

PT-2026-41553

Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modi...

PT-2026-41559

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloa...

PT-2026-41557

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current page parameter sent to the ajax.php endpoint, whic...

PT-2026-41570

Name of the Vulnerable Software and Affected Versions vercel ai versions prior to 3.0.98 Description An OS command injection issue exists in the PR Branch Name Interpolation component. The flaw is located within the run function of the .github/workflows/prettier-on-automerge.yml file. This allows...

PT-2026-41571

Name of the Vulnerable Software and Affected Versions Edimax BR-6428NS version 1.10 Description A buffer overflow can be triggered remotely via the POST Request Handler component. The issue exists in the formPPTPSetup function within the '/goform/formPPTPSetup' endpoint when manipulating the...

PT-2026-41581

Name of the Vulnerable Software and Affected Versions Net::Statsd::Tiny versions prior to 0.3.8 Description Net::Statsd::Tiny for Perl allows metric injections because metric names and set values are not validated for newlines, colons, or pipes. This allows metrics generated from untrusted source...

PT-2026-41583

Name of the Vulnerable Software and Affected Versions Crypt::OpenSSL::PKCS12 versions prior to 1.95 Description The software truncates passwords containing embedded NULL characters. In the PKCS12.xs file, password parameters are declared as char , which utilizes Perl's default typemap SvPV nolen,...

PT-2026-41582

Name of the Vulnerable Software and Affected Versions Crypt::OpenSSL::PKCS12 versions prior to 1.95 Description An out-of-bounds write flaw exists when parsing a PKCS12 file containing an OCTET STRING or BIT STRING attribute on a SAFEBAG of 1 GiB or larger. This issue is triggered via the info or...

PT-2026-41586

Name of the Vulnerable Software and Affected Versions Kilo-Org kilocode versions prior to 7.0.48 Description A flaw in the Environment Variable Handler component allows remote information disclosure. The issue exists within the Load function located in the packages/opencode/src/config/config.ts...

PT-2026-41584

Name of the Vulnerable Software and Affected Versions H3C Magic B3 versions prior to 100R002 Description A buffer overflow exists in the UpdateWanParams function within the '/goform/aspForm' endpoint. This issue occurs when the param argument is manipulated, allowing a remote attacker to trigger...

PT-2026-41585

Name of the Vulnerable Software and Affected Versions Kilo-Org kilocode versions prior to 7.0.48 Description A path traversal issue exists in the File Diff API Endpoint within the Bun.file function of the packages/opencode/src/kilocode/review/worktree-diff.ts file. A remote attacker can trigger...

PT-2026-41588

Name of the Vulnerable Software and Affected Versions vercel ai versions prior to 3.0.98 Description A resource consumption issue exists in the provider-utils component. The flaw is located within the createJsonResponseHandler and createJsonErrorResponseHandler functions in the...

PT-2026-41591

A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for...

PT-2026-41590

A security flaw has been discovered in linlinjava litemall up to 1.8.0. This impacts the function list of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxGoodsController.java of the component Front-end WeChat API. Performing a manipulation results in sql injection. Remote...

PT-2026-41589

A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The...

PT-2026-41625

CVE-2025-70562 Full disclosure https://t.co/TDa8tFYvC3 Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd...

PT-2026-41626

CVE-2025-70563 Full disclosure https://t.co/NYn5GJR8kA...

PT-2026-41624

CVE-2025-70561 Full disclosure https://t.co/wAYBU7dfkD...

PT-2026-41627

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-23 ImageMagick versions prior to 6.9.13-48 Description A missing check in the MIFF decoder allows a crafted 224-byte MIFF file to cause an infinite loop, leading to CPU exhaustion where the system remains at...

PT-2026-42155

Name of the Vulnerable Software and Affected Versions BIND versions 9.11.0 through 9.16.50 BIND versions 9.18.0 through 9.18.48 BIND versions 9.20.0 through 9.20.22 BIND versions 9.21.0 through 9.21.21 BIND versions 9.11.3-S1 through 9.16.50-S1 BIND versions 9.18.11-S1 through 9.18.48-S1 BIND...

PT-2026-42154

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.0.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.48 BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.9.3-S1 through 9.16.50-S1 BIND 9 versions 9.18.11-S1 through 9.18.48-S...

PT-2026-42164

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.20.9-S1 through 9.20.22-S1 Description A race condition occurs when BIND receives an incoming DNS message signed with SIG0. While validating the...

PT-2026-42156

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.20.9-S1 through 9.20.22-S1 Description A heap use-after-free issue exists within the DNS-over-HTTPS implementation. Use-after-free occurs when an...

PT-2026-42163

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.11.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.48 BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.11.3-S1 through 9.16.50-S1 BIND 9 versions 9.18.11-S1 through...

PT-2026-41587

Name of the Vulnerable Software and Affected Versions vercel ai versions prior to 3.0.98 Description A server-side request forgery SSRF issue exists in the provider-utils component. The flaw is located in the validateDownloadUrl function within the packages/provider-utils/src/download-blob.ts fil...

PT-2026-41652

These are all security issues fixed in the OpenColorIO-devel-2.5.2-1.1 package on the GA media of openSUSE Tumbleweed...

PT-2026-41717

CVE-2026-6050 - CVE-2019-11510 - Apache Struts Remote Code Execution CVE ID :CVE-2026-6050 Published : May 16, 2026, 11:16 p.m. | 1 hour, 58 minutes ago Description :Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Severity: 0.0 | NA Visit the link for...

PT-2026-41566

Name of the Vulnerable Software and Affected Versions fishaudio Bert-VITS2 versions prior to 8f7fbd8c4770965225d258db548da27dc8dd934c Description A path traversal flaw exists in the Model Handler component, specifically within the get all models function of the hiyoriUI.py file. This issue allows...

PT-2026-42165

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.18.36 through 9.18.48 BIND 9 versions 9.20.8 through 9.20.22 BIND 9 versions 9.21.7 through 9.21.21 BIND 9 versions 9.18.36-S1 through 9.18.48-S1 BIND 9 versions 9.20.9-S1 through 9.20.22-S1 Description An unbounded resend lo...

PT-2026-41449

Name of the Vulnerable Software and Affected Versions Home Assistant Community Store HACS version 1.10.0 Description A path traversal issue allows unauthenticated attackers to read sensitive files by traversing directories via the '/hacsfiles/' endpoint. This can be used to retrieve the...

PT-2026-41420

Name of the Vulnerable Software and Affected Versions Essential Chat Support versions prior to 1.0.2 Description The Essential Chat Support plugin for WordPress contains an authorization bypass. The plugin fails to properly verify if a user is authorized to perform specific actions, allowing...

PT-2026-41422

Name of the Vulnerable Software and Affected Versions jsondiffpatch versions prior to 0.7.6 Description Prototype Pollution occurs when attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like proto or...

PT-2026-41421

Name of the Vulnerable Software and Affected Versions jsondiffpatch versions prior to 0.7.6 Description Improper sanitization of JSON values and property names in the annotated formatter allows for Cross-site Scripting XSS. This occurs when an application compares untrusted JSON or object data an...

PT-2026-41425

Name of the Vulnerable Software and Affected Versions Multicollab: Content Team Collaboration and Editorial Workflow versions prior to 5.3 Description A missing capability check in the cf add comment function allows authenticated attackers with Subscriber-level access or higher to perform...

PT-2026-41426

Name of the Vulnerable Software and Affected Versions Net::Statsd::Lite versions prior to 0.9.0 Description Net::Statsd::Lite for Perl allows metric injections because metric names are not validated for newlines, colons, or pipes. This enables metrics generated from untrusted sources to inject...

PT-2026-41467

Name of the Vulnerable Software and Affected Versions Quick.CMS version 6.7 Description An issue in the sliders form allows authenticated attackers to inject malicious scripts by submitting payloads through the sDescription parameter. This can be achieved by crafting CSRF Cross-Site Request Forge...

PT-2026-41438

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

PT-2026-41464

Name of the Vulnerable Software and Affected Versions ProcessMaker version 3.5.4 Description Improper path traversal validation allows unauthenticated attackers to read arbitrary files. By sending requests containing directory traversal sequences, an attacker can access sensitive system files, su...

PT-2026-41435

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...

PT-2026-41442

Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or...

PT-2026-41447

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem...

PT-2026-41453

Name of the Vulnerable Software and Affected Versions EgavilanMedia PHPCRUD version 1.0 Description An SQL injection allows unauthenticated attackers to manipulate database queries by injecting SQL code. This is achieved by sending POST requests to the 'insert.php' endpoint using the firstname...

PT-2026-41461

Name of the Vulnerable Software and Affected Versions WP Learn Manager version 1.1.2 Description A stored cross-site scripting issue allows unauthenticated attackers to inject malicious scripts. This is achieved by submitting POST requests to the 'jslm fieldordering' page using the fieldtitle...

PT-2026-41437

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner...

PT-2026-41430

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSyste...

PT-2026-41434

Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to...

PT-2026-41444

Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract...

PT-2026-41452

Name of the Vulnerable Software and Affected Versions CouchCMS version 2.2.1 Description Authenticated attackers can execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. This occurs when SVG files containing embedded script tags are uploaded to the...

PT-2026-41440

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...