Lucene search
+L
PtsecurityRecent

187283 matches found

ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50744

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.7.53 Description An authenticated administrator with backup permissions can download a ZIP archive containing the full installation root. This archive includes sensitive files such as user/accounts/admin.yaml, which...

6.8CVSS6AI score0.00174EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50790

Name of the Vulnerable Software and Affected Versions deepstream versions prior to 10.0.5 Description A Prototype Pollution issue exists in the server, which allows clients and backend services to synchronize data, send messages, and make remote procedure calls RPCs at scale. Prototype Pollution...

9.9CVSS5.9AI score0.0027EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50695

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, MediaDurationBlock will download and store the video in a temporary directory without deleting before all noded are done. StepThroughItemsBlock can be used t...

8.7CVSS5.3AI score0.00276EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50732

Impact A denial-of-service DoS vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in t...

4.8CVSS5.6AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.14 views

PT-2026-50722

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites and plugins using the KirbyHttpRemote class, including the functions Remote::request, Remote::get, and Remote::post, are susceptible to HTTP header injection...

6.9CVSS6AI score0.0029EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50617

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change order status, add order note, delete order note, add shipping...

4.3CVSS5.7AI score0.0025EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.14 views

PT-2026-50775

Name of the Vulnerable Software and Affected Versions bpm-release versions prior to v1.4.30 Description A container-to-host privilege escalation exists where the setupBpmLogs function follows symlinks for bpm.log during open and chown operations. A compromised process within a bpm container can...

6.9CVSS6.1AI score0.00125EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50771

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description An infinite loop Denial of Service DoS occurs during the process-tree walk when a parent process exits during authentication. The function usb get process parent id fails to initialize the ppid...

4.7CVSS5.9AI score0.00104EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-50694

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.63 Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. The AddAudioToVideoBlock function downloads and stores video and audio file...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50664

An OS Command Injection vulnerability exists in LMS LAN Management System before commit 9fcb4de due to an IP address parameter being passed to the "exec" function without proper validation, allowing attackers to execute arbitrary operating system commands...

8.6CVSS5.8AI score0.00947EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-53146

PraisonAI Slack app mention bypasses configured user/channel authorization Summary PraisonAI's Slack bot applies its configured allowed users, allowed channels, and unknown-user pairing policy in the normal Slack message event handler, but not in the adjacent Slack app mention event handler. A...

8.3CVSS6.5AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50669

uBB.threads is vulnerable to a Cross-Site Request Forgery CSRF due to a lack of protective mechanisms. This allows an attacker to trick an authenticated user into executing unintended actions. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version...

8.6CVSS5.2AI score0.00293EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50719

Name of the Vulnerable Software and Affected Versions opentelemetry-collector-contrib sentryexporter affected versions not specified Description The Sentry exporter fails to validate the service.name resource attribute when constructing Sentry API URLs. Because this attribute is controlled by...

5.3CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50672

UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution. Because vendor contact attempts were unsuccessful, the vulnerability...

8.6CVSS5.5AI score0.00628EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50804

Name of the Vulnerable Software and Affected Versions Chef 360 versions prior to 1.7.0 Description A static credential embedded in the software allows unauthenticated access to internal message queues. These queue messages contain tenant-specific identifiers. Recommendations Update to version 1.7...

5.1CVSS5.9AI score0.0017EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50649

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible...

6.4CVSS5.5AI score0.00205EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-50684

Name of the Vulnerable Software and Affected Versions Grav versions 1.7.52 through 2.0 Description An incomplete fix for a stored Cross-Site Scripting XSS issue allows users with admin.pages permissions to inject unsanitized CSS into the style attribute of images via Markdown media actions. While...

4.8CVSS6.2AI score0.00187EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50740

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...

2.3CVSS6AI score0.00252EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.29 views

PT-2026-50802

Name of the Vulnerable Software and Affected Versions M365 Copilot affected versions not specified Description A missing authentication flaw in a critical function allows an unauthorized attacker to disclose information over a network. Recommendations At the moment, there is no information about ...

9.8CVSS5.9AI score0.00578EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50641

Name of the Vulnerable Software and Affected Versions Google Android affected versions not specified Description A missing permission check in the AndroidManifest.xml file allows for a persistent local denial of service. This issue can be triggered without requiring user interaction or additional...

10CVSS6AI score0.00138EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.22 views

PT-2026-50782

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description pam usb provides hardware authentication for Linux using removable media. The software calls the xmlReadFile function with flags=0 when loading the configuration file, which allows libxml2 to process...

6.7CVSS5.8AI score0.00115EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50737

Name of the Vulnerable Software and Affected Versions @tinacms/mdx versions prior to 2.1.7 tinacms versions prior to 3.9.3 Description Rich-text parsing and the default link/image renderers fail to sanitize the url field on Slate link/image nodes. This allows content containing javascript: or...

4.8CVSS5.6AI score0.00239EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.22 views

PT-2026-50743

Name of the Vulnerable Software and Affected Versions opentelemetry-collector-contrib affected versions not specified Description The githubreceiver webhook handler fails to enforce the required headers configuration. While these headers are validated during startup, they are not checked on...

6.9CVSS6AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.9 views

PT-2026-54544

Уязвимость платформы для управления и защиты идентификационных данных Azure Active Directory связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии...

10CVSS7.3AI score0.00562EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50801

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.4 Description Missing authorization in the public API allows users to bypass role permission checks. The system only verifies a shared API key header via the hasValidToken function instead of validating individua...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50725

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites with the content.fileRedirects option enabled allow unauthenticated users to access clean file URLs for files stored in top-level draft pages. The system...

6.3CVSS5.9AI score0.00312EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50647

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server...

5.9AI score0.00215EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.28 views

PT-2026-50648

Name of the Vulnerable Software and Affected Versions Worksnaps versions prior to 1.6.20260201 Description The Worksnaps client application binaries contain hardcoded cloud credentials and secret material. These exposed credentials include AWS access keys and S3 bucket names, which authenticated ...

9.3CVSS5.9AI score0.00388EPSS
Exploits1References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.26 views

PT-2026-50796

Name of the Vulnerable Software and Affected Versions Relyra versions 1.0.0 through 1.1.0 Description Relyra is a SAML 2.0 Service Provider library for Elixir and Phoenix that accepts forged SAML signatures. This occurs because the SignatureValue is not cryptographically verified before the libra...

9.1CVSS5.8AI score0.00135EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53118

Summary Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as request, requestHeaders, or requestParams to variables. In affected scenarios, an unauthenticated remote attacker can place ...

9.2CVSS6.3AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.10 views

PT-2026-51424

Уязвимость программного обеспечения выявления уязвимостей и ошибок PT Application Inspector связана с ошибками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации...

6.8CVSS5.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.5 views

PT-2026-53119

Summary The MentionsParser in src/praisonai-agents/praisonaiagents/tools/mentions.py processes @file: mentions in agent prompts by reading arbitrary files from the filesystem. When a file path is not found relative to the workspace, the parser falls back to using the path as an absolute path...

7.5CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53130

Summary Setting PRAISONAI CALL AUTH=disabled completely disables all authentication on the /api/v1/agents/id/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations. Details python...

8.2CVSS5.9AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.11 views

PT-2026-53123

Summary A Server-Side Request Forgery SSRF vulnerability in the SearxNG / search web search tools allows an attacker to make the server perform requests to arbitrary internal endpoints and read the responses back. The searxng url argument is passed directly to requests.get with no validation of...

8.8CVSS5.9AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53125

PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard Summary PraisonAI's installed console entrypoint is Typer-first. In current releases, the recipe command is registered in the Typer app and praisonai recipe serve dispatches to the deprecated Typer command in...

8.2CVSS6.5AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53122

Unauthenticated Remote Code Execution via Jobs API and Approval Bypass in PraisonAI Summary An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two weaknesses: the /api/v1/runs endpoint...

9.8CVSS6.7AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53184

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensing get product MCP tool in netlicensing-mcp interpolates a caller-controlled product number argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

9.6CVSS5.8AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53143

Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agent file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. Details The agent file field in...

7.5CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.5 views

PT-2026-53139

Summary The published npm package praisonai exports createAgentLoop, whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI's generateText wrapper with the caller's executable tools first, receives toolResults, and only then calls onToolCall...

8.8CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.9 views

PT-2026-53157

Root has patched AIKIDO-2026-11158 in the io.root.org.springframework:spring-core package for Root:Maven. Multiple fixed versions available...

5.8AI score
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53133

praisonai-platform: default JWT signing secret dev-secret-change-me Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai-platform on PyPI Latest version and version tested: 0.1.4,...

9.8CVSS5.7AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53140

praisonai: recipe serve authentication middleware silently disables itself when no secret is set Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Version tested: 4.6.48...

9.8CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53151

Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps read file, list files, and write file when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...

8.8CVSS6.2AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.13 views

PT-2026-51181

CVE ID :CVE-2026-12475 Published : June 18, 2026, 4:29 p.m. | 1 hour, 40 minutes ago Description :None Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

5.8AI score
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53134

Affected: praisonai-platform PyPI CWE-287 Improper Authentication Overview GHSA-3qg8-5g3r-79v5 Critical reported that praisonai-platform's JWT signing secret defaulted to the hardcoded literal "dev-secret-change-me", and that the production guard meant to prevent this was default-open it only...

9.8CVSS5.9AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.12 views

PT-2026-53185

Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...

9.1CVSS5.8AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53128

Summary PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes allow dangerous tools=True. That policy only checks tools declared in TEMPLATE.yaml requires.tools. For steps-based recipes, the actual execution path...

7.8CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53159

Root has patched GHSA-3875-8gcx-7v46 in the @rootio/n8n package for Root:npm. Multiple fixed versions available...

9.1CVSS5.8AI score
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.5 views

PT-2026-53117

Summary The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments via crafted prompts, user...

9.1CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53158

Root has patched GHSA-2vx9-7wpg-88jq in the @rootio/n8n package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0References1
Total number of security vulnerabilities187283