185026 matches found
PT-2026-50406
Unauthenticated PHP Object Injection in Manufaktur Solutions = 1.1.1 versions...
PT-2026-50323
Unauthenticated Insecure Direct Object References IDOR in Salon booking system = 10.30.24 versions...
PT-2026-50403
Unauthenticated Cross Site Scripting XSS in Royal Elementor Addons Pro 1.7.1041 versions...
PT-2026-50427
Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning...
PT-2026-50358
Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...
PT-2026-50412
Unauthenticated Arbitrary File Deletion in WorkScout-Core = 1.7.11 versions...
PT-2026-50437
Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager version 4.6.0.1 Description Use of a broken or risky cryptographic algorithm allows an unauthenticated attacker with remote access to potentially cause information disclosure and information tampering. Recommendations At...
PT-2026-50432
Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager versions prior to 5.1.0.1 Dell PowerFlex Manager versions prior to 4.5.5.2 Description An improper authentication issue allows an unauthenticated attacker with adjacent network access to bypass authentication without...
PT-2026-50352
Unauthenticated Cross Site Scripting XSS in Popup box = 6.2.9 versions...
PT-2026-50428
Name of the Vulnerable Software and Affected Versions Plane CE version 1.3.1 Description A low-privileged project member can submit arbitrary HTML and JavaScript via the description html field. This occurs when creating an intake work item through the 'API v1 intake' endpoint. Recommendations At...
PT-2026-50202
Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.155 Description A use after free issue in the Downloads component allows a remote attacker to potentially exploit heap corruption through a crafted HTML page. Use after free occurs when an...
PT-2026-50433
Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager affected versions not specified Description A missing authentication for critical function issue exists. An unauthenticated attacker with adjacent network access could exploit this to achieve code execution, denial of...
PT-2026-50264
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...
PT-2026-50351
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
PT-2026-50461
Name of the Vulnerable Software and Affected Versions Cisco Umbrella Virtual Appliance affected versions not specified Description An issue in the vmadmin CLI of Cisco Umbrella Virtual Appliance allows an authenticated, local attacker to elevate privileges. This is caused by insufficient validati...
PT-2026-50394
Name of the Vulnerable Software and Affected Versions Zephyr versions 1.7 through 4.4.0 Description The Bluetooth Classic Hands-Free Profile HFP Hands-Free role parser in subsys/bluetooth/host/classic/hfp hf.c contains an out-of-bounds write. During Service Level Connection setup, the Hands-Free ...
PT-2026-50188
Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.155 Description An inappropriate implementation in WebView allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page....
PT-2026-50217
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.155 Description A use after free issue in Extensions allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. A use after free...
PT-2026-50331
Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.20 Description An SQL injection flaw exists in the Geo Mashup plugin, which allows users with subscriber privileges to execute unauthorized SQL commands. Recommendations Update to version 1.13.20 or later...
PT-2026-50294
Subscriber Broken Access Control in WishList Member X = 3.29.0 versions...
PT-2026-53070
Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...
PT-2026-50301
Unauthenticated Local File Inclusion in Mikado Core = 1.6 versions...
PT-2026-50324
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...
PT-2026-50384
Unauthenticated SQL Injection in Advanced Ads – Tracking 3.0.7 versions...
PT-2026-50417
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10...
PT-2026-50378
Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited...
PT-2026-50312
Subscriber Broken Access Control in Bricks Builder = 2.1.4 versions...
PT-2026-50483
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The application renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel:...
PT-2026-50538
Name of the Vulnerable Software and Affected Versions Tinyproxy versions prior to commit ff45d3b Description Tinyproxy fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine the number o...
PT-2026-50537
Name of the Vulnerable Software and Affected Versions NGINX Gateway Fabric affected versions not specified Description An injection issue exists in the NGINX configuration generator component of NGINX Gateway Fabric when NGINX Plus or NGINX Open Source is used as the data plane. User-supplied...
PT-2026-53072
A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement. Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended a...
PT-2026-50573
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.17.0 Description An unauthenticated issue exists in the chatbot builder tool where the endpoint "/api/blocks/file-input/v3/generate-upload-url" uses unsanitized fileName input to construct public S3 object keys. The...
PT-2026-50302
Unauthenticated PHP Object Injection in Zermatt = 1.6.1 versions...
PT-2026-50544
Name of the Vulnerable Software and Affected Versions PHP Standard Library PSL versions 6.1.0 through 6.1.1 PHP Standard Library PSL version 6.2.0 Description The PslH2ServerConnection function does not validate that the total bytes received in DATA frames match the content-length header declared...
PT-2026-50519
Hermes Agent before 0.16.0 creates response store.db and webhook subscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...
PT-2026-50563
Name of the Vulnerable Software and Affected Versions Postman Download Module affected versions not specified Description The postman download module fails to sanitize the workspace name field retrieved from the Postman API when constructing local directory paths. A malicious workspace name...
PT-2026-53074
This update for xwayland fixes the following issues: - CreateSaverWindow Use-After-Free Information Disclosure. bsc1266301 - Font Alias Stack-based Buffer Overflow. bsc1266294 - GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write. bsc1266300 - XKB Key Types Stack-based Buffer Overflow. bsc12662...
PT-2026-53071
Impact Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using workflow:read instead of the action-appropriate workflow:execute scope. An authenticated user with project:viewer role on a project could start new evaluation test runs, cancel in-flight...
PT-2026-50604
Name of the Vulnerable Software and Affected Versions Capsule version 0.13.2 Description A typo in the webhook rules of the software causes a failure in the defense mechanism for the namespaces/finalize subresource. The configuration uses the singular namespace/finalize instead of the plural...
PT-2026-50238
A vulnerability in nltk.app.wordnet app up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request /SHUTDOWN%20THE%20SERVER to...
PT-2026-50334
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud = 7.2.6 versions...
PT-2026-50354
Subscriber Privilege Escalation in JetFormBuilder = 3.6.1 versions...
PT-2026-50283
Unauthenticated Cross Site Scripting XSS in Skillate = 1.2.10 versions...
PT-2026-50244
Name of the Vulnerable Software and Affected Versions LearnPress versions prior to 4.3.7 Description An information disclosure issue exists where the edit context on a REST endpoint is not properly restricted by the edit users capability. This allows unauthenticated visitors to retrieve sensitive...
PT-2026-50255
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugin's admin menu being registered at the edit posts...
PT-2026-50260
Incorrect Authorization vulnerability of /v2 experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...
PT-2026-50291
Unauthenticated SQL Injection in WPJobster = 6.3.5 versions...
PT-2026-50398
Unauthenticated PHP Object Injection in Konsept = 1.9 versions...
PT-2026-50267
Subscriber Arbitrary File Upload in Grip = 1.0.9 versions...
PT-2026-50346
Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...