Lucene search
+L
PtsecurityRecent

187392 matches found

ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53188

Summary The Docker API server applied its SSRF destination check validate url destination on the non-streaming /crawl path but not on the streaming path. handle stream crawl request passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could cal...

8.6CVSS5.8AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.5 views

PT-2026-53138

Summary The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: text network-isolated No network access proxy blocked The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced...

7.6CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.7 views

PT-2026-53137

PraisonAI Code agent tools fail open without a workspace boundary Summary PraisonAI Code's agent-compatible CODE TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE TOOLS, code read file, code search replace, or code apply diff before calling set workspace...

7.3CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53182

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

9.3CVSS5.8AI score
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.10 views

PT-2026-53141

On case-insensitive filesystems macOS, Windows, PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/node modules restriction while the OS opened the real file. On...

6.9CVSS5.8AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53153

PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...

9.8CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.9 views

PT-2026-53161

This update for rootlesskit rebuilds it against the current go security release...

5.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.10 views

PT-2026-53149

PraisonAI recipe.run stream skips dangerous-tool policy enforcement Summary PraisonAI recipe execution blocks default-denied dangerous tools unless the caller explicitly passes allow dangerous tools=True. The normal recipe.run path enforces this with check tool policy. The streaming path,...

7.8CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.9 views

PT-2026-53147

Summary A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role chec...

8.1CVSS5.8AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.8 views

PT-2026-53181

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

8.7CVSS5.8AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.6 views

PT-2026-53124

Summary The published npm package praisonai ships dist/tools/utility-tools.js, which exports a shellcommand helper described in source as: text Execute shell command safe version - read-only commands The helper attempts to enforce a safe read-only command allowlist by checking only the first...

8.8CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.27 views

PT-2026-50628

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

4.9CVSS5.8AI score0.00355EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50633

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...

4.3CVSS5.3AI score0.00245EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-50638

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc appointments calendar load2 function, which is reachable...

4.3CVSS5.4AI score0.00285EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.38 views

PT-2026-50640

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. Thi...

6.1CVSS5.4AI score0.00211EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-50728

Name of the Vulnerable Software and Affected Versions affected versions not specified Description Database connection information, including the username and password, is logged at the debug level when using .pgpass. Recommendations Upgrade to version 2.7.1 or greater. Filter out debug-level logs...

2.4CVSS6.1AI score
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50727

Name of the Vulnerable Software and Affected Versions Pipecat versions prior to 1.4.0 Description The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication. An unauthenticated remote attacker can connect to this endpoin...

7.5CVSS6AI score0.00343EPSS
Exploits1References14
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50709

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.468 Description An issue exists in the unauthenticated 'POST /api/onboarding/oauth/start' endpoint that allows for unbounded accumulation of in-memory flow state and daemon threads. This can lead to resource...

6.9CVSS5.9AI score0.00301EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50681

I got six CVEs in a major npm package including 4 RCEs. CVE-2026-54662, CVE-2026-54661, CVE-2026-54666, CVE-2026-54664, CVE-2026-54660, CVE-2026-54663 Full writeup with every sink and payload here: https://t.co/Pgwn5lgb9y infosec cybersecurity rce...

5.2AI score
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50803

Name of the Vulnerable Software and Affected Versions Chef 360 versions prior to 1.7.1 Description Improper handling of URL-encoded paths during request processing can allow unauthorized access to protected API endpoints. An authenticated request may bypass standard access controls to gain...

9.4CVSS5.9AI score0.00401EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.26 views

PT-2026-50676

Name of the Vulnerable Software and Affected Versions Docker Sandboxes affected versions not specified Description Docker Sandboxes sbx fail to re-apply the ICMP egress authorizer to networks rebuilt from disk after a Docker daemon restart. This allows a restart-surviving sandbox to forward ICMP...

5.7CVSS6AI score0.00097EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.27 views

PT-2026-50731

Name of the Vulnerable Software and Affected Versions Gotenberg version 8.33.0 Description A Server-Side Request Forgery SSRF issue exists in the /forms/libreoffice/convert endpoint. By uploading a specially crafted DOCX document, an attacker can force LibreOffice to retrieve external resources...

7.5CVSS5.8AI score0.00355EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50710

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting XSS vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter next, which is...

8.8CVSS5.5AI score0.00189EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.9 views

PT-2026-53132

Summary The email search tool in src/praisonai-agents/praisonaiagents/tools/email tools.py constructs IMAP SEARCH commands by interpolating LLM-controlled parameters from addr, subject, query directly into IMAP protocol strings using f-string formatting with double-quote delimiters. An attacker w...

8.1CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50734

Name of the Vulnerable Software and Affected Versions http-proxy-middleware versions 0.16.0 through 2.0.9 http-proxy-middleware versions 3.0.0 through 3.0.5 http-proxy-middleware versions 4.0.0 through 4.0.9 Description An issue exists in the router proxy-table implementation where host+path...

8.6CVSS5.9AI score0.0034EPSS
Exploits1References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.14 views

PT-2026-50861

These are all security issues fixed in the lemon-3.53.2-2.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.14 views

PT-2026-50783

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description This software provides hardware authentication for Linux using removable media. A race condition exists when updating a one-time pad file because a temporary file is created using the open function...

5.8CVSS5.9AI score0.00088EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.19 views

PT-2026-50656

claudiopizzillo PIAF-HMS PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5 contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters...

9.8CVSS5.8AI score0.00587EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.20 views

PT-2026-50735

Name of the Vulnerable Software and Affected Versions http-proxy-middleware versions 3.0.4 through 3.0.6 http-proxy-middleware versions prior to 4.1.1 Description An issue exists in the fixRequestBody helper function when the outgoing Content-Type is set to multipart/form-data. The function uses...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.13 views

PT-2026-50716

Name of the Vulnerable Software and Affected Versions Bitnami MariaDB Galera container image versions 10.6.x prior to 10.6.27-photon-5-r0 Bitnami MariaDB Galera container image versions 10.11.x prior to 10.11.17-photon-5-r1 Bitnami MariaDB Galera container image versions 11.4.x prior to...

5.3CVSS6AI score0.00187EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50798

Name of the Vulnerable Software and Affected Versions Azure Bot Service affected versions not specified Description Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network. Recommendations At the moment, there is no information about a newer...

8.8CVSS5.9AI score0.00411EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.22 views

PT-2026-50686

Name of the Vulnerable Software and Affected Versions Eclipse 4diac FORTE versions 3.0.0 through 3.1.0 Description A specially crafted DELETE connection command sent to the management interface can cause a dangling pointer. This condition enables a use-after-free scenario, where subsequent comman...

9.8CVSS5.8AI score0.00304EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50714

Name of the Vulnerable Software and Affected Versions WP EasyPay versions prior to 4.4.0 Description Cross-Site Request Forgery CSRF allows an attacker to induce a user to perform actions they did not intend to do by tricking their browser into sending a forged request to the application...

6.5CVSS5.9AI score0.00124EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.15 views

PT-2026-50697

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 including earlier versions were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input...

5.9AI score0.01316EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50733

Name of the Vulnerable Software and Affected Versions piscina versions prior to 6.0.0-rc.2 piscina versions prior to 5.2.0 piscina versions prior to 4.9.3 Description Prototype pollution in the constructor and run paths allows an attacker to control the filename option. When the options object...

8.1CVSS5.9AI score0.00296EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50789

Name of the Vulnerable Software and Affected Versions OneDev versions prior to 15.0.7 Description An arbitrary file write issue exists due to symlink path traversal. The TarUtils.untar function creates symbolic links using the getLinkName TAR entry without validating if the target is an absolute...

8.3CVSS6AI score0.00382EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50776

Name of the Vulnerable Software and Affected Versions Node.js version 22 Node.js version 24 Description A flaw in the HTTP/2 server API allows servers to continue accepting data after a GOAWAY frame has been sent. A GOAWAY frame is a mechanism used in the HTTP/2 protocol to notify the peer that t...

5.3CVSS5.9AI score0.00445EPSS
Exploits0References86
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.15 views

PT-2026-50702

Name of the Vulnerable Software and Affected Versions Node.js version 22 Node.js version 24 Node.js version 26 Description A flaw in the Permission Model enforcement allows a bypass through path misvalidation in the process.report.writeReport function. This issue can result in a confidentiality...

1.8CVSS5.8AI score0.00208EPSS
Exploits0References108
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.21 views

PT-2026-50707

Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 3.4.0 Description An integer overflow exists in the drl field of the fcgi conn structure within the FastCGI parser. When the contentLength is 65535 and the paddingLength is 1 or more, the drl field wraps to 0. This...

9.1CVSS5.9AI score0.00321EPSS
Exploits0References31
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.20 views

PT-2026-50708

Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 3.4.0 Description A null pointer dereference occurs in the hpack dht insert function within src/hpack-tbl.c because the return value of hpack dht defrag is not validated when the memory pool is exhausted. An attacker...

8.7CVSS5.9AI score0.00431EPSS
Exploits0References30
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.16 views

PT-2026-50729

Component: tract-nnef nnef/src/tensors.rs::read tensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...

6.1CVSS5.8AI score
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50821

Name of the Vulnerable Software and Affected Versions Apollo Pharmacy Blood Glucose Monitoring System APG-01 affected versions not specified Description An attacker within Bluetooth Low Energy BLE communication range can passively intercept wireless traffic to obtain sensitive health-related...

7.1CVSS5.9AI score0.00145EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.22 views

PT-2026-50646

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pff title is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cot import is disabled, so an authenticated user can...

7.6CVSS5.2AI score0.00171EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.23 views

PT-2026-50657

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2...

5.9CVSS5.2AI score0.00143EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.20 views

PT-2026-50799

Name of the Vulnerable Software and Affected Versions Cost Management Interactive Experiences affected versions not specified Description Exposure of sensitive information in Cost Management Interactive Experiences allows an unauthorized attacker to disclose information over a network...

7.5CVSS5.8AI score0.0057EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50622

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

4.9CVSS5.8AI score0.00363EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.27 views

PT-2026-50626

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.5AI score0.00212EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50644

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.main.php, the file upload action 'a=upload' processes uploaded files without calling cot check xg to validate the anti-CSRF token, even though...

8.6CVSS5.4AI score0.00177EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.17 views

PT-2026-50630

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

5.3CVSS5.5AI score0.00352EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50784

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description A symlink race condition exists in the creation of per-device and per-user pad directories. The software employs a check-then-act pattern, where it calls lstat to verify existence and subsequently...

5.8CVSS5.9AI score0.00084EPSS
Exploits0References8
Total number of security vulnerabilities187392