Lucene search
K
PtsecurityRecent

184419 matches found

Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56516

Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI operation and can resolve the request to a...

8.2CVSS6AI score0.00267EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56496

protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key proto to change the prototype of the returned map object instead of...

4.8CVSS6AI score0.00221EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56488

Name of the Vulnerable Software and Affected Versions Socket.IO versions 4.1.0 through 6.6.6 Description The Engine.IO protocol v4 polling transport fails to properly close the HTTP response when receiving invalid binary POST requests that use the Content-Type: application/octet-stream header. Th...

7.5CVSS6AI score0.00354EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56502

Name of the Vulnerable Software and Affected Versions linkify-it versions prior to 5.0.2 Description The mailto: schema validator used by the .test and .match functions can be triggered at every occurrence of mailto: and scan the remaining input via src email name in lib/re.mjs. This behavior lea...

7.5CVSS5.9AI score0.00346EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56506

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS5.9AI score0.00191EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56436

n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth...

5.4CVSS5.9AI score0.00141EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56443

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a shared workflow can use the Public API to ret...

6.4CVSS6.1AI score0.00174EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56678

Overview A path traversal vulnerability is possible via the COAR Notify / LDN service in DSpace. This vulnerability impacts DSpace versions 8.0 = 8.3, 9.0 = 9.2. The attacker MUST already have DSpace administrator credentials in order to perform the attack. When reading a file input stream of an...

5.5CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56676

Overview The Curation Task feature allows an output path to be used by the reporter -r parameter, typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace often 'tomcat' user is allowed...

5.5CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56677

Overview Remote Code Execution RCE is possible via Velocity Templates used by DSpace for COAR Notify/LDN messages. This vulnerability impacts DSpace versions 8.0 = 8.3, 9.0 = 9.2. The attacker MUST already have DSpace administrator credentials in order to perform the attack. This attack is relate...

9CVSS6.8AI score0.22709EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56608

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56581

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal...

7.7CVSS6AI score0.0056EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56561

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...

7.1CVSS6AI score0.00439EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56536

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via ...toArrayv without calling this.context.memoryLimit.use..., allowing a template render such as huge arr...

8.2CVSS6AI score0.00384EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56490

Name of the Vulnerable Software and Affected Versions js-yaml versions 3.0.0 through 3.14.x js-yaml versions 4.0.0 through 4.2.x Description js-yaml can consume quadratic CPU time when parsing a document that grows linearly in size. This occurs when a chain of mappings utilizes merge keys, where...

7.5CVSS6AI score0.0035EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56487

Name of the Vulnerable Software and Affected Versions Socket.IO versions 6.5.0 through 6.6.6 Description Engine.IO servers with WebTransport enabled are susceptible to a denial of service. During WebTransport upgrade handling, the server can resolve a crafted session ID, such as proto , through a...

7.5CVSS6.1AI score0.00339EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56489

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in...

5.3CVSS6AI score0.00291EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56504

Name of the Vulnerable Software and Affected Versions @opentelemetry/propagator-jaeger versions prior to 2.9.0 Description The @opentelemetry/propagator-jaeger component decodes incoming uber-trace-id and uberctx- HTTP header values using the decodeURIComponent function without proper error...

7.5CVSS6AI score0.00436EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56505

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56442

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/workflowId/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real...

7.4CVSS6.1AI score0.00161EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56448

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated ... expression values directly into the raw SQL string without parameterization. When a workflow uses...

5.3CVSS6.3AI score0.00314EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56447

n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical...

5.3CVSS5.9AI score0.00166EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago10 views

PT-2026-56625

Name of the Vulnerable Software and Affected Versions Cline versions prior to 3.0.30 Description The Cline Hub dashboard server, initiated via the cline dashboard command, fails to validate the Origin header for WebSocket connections on the /browser endpoint. When the ROOM SECRET is unset for loc...

8.8CVSS6.2AI score0.00145EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 4 days ago9 views

PT-2026-56582

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with...

6.8CVSS6AI score0.00593EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago10 views

PT-2026-56342

During the process of page opening and form formatting, a JavaScript reentrancy results in an inconsistent document status. Subsequently, with outdated page information, the application attempts to access invalid addresses, causing the application to crash...

6.1CVSS6AI score0.00107EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago8 views

PT-2026-56570

IBM WebSphere Application Server is affected by a cross-site request forgery vulnerability CVE-2026-8408 https://t.co/dB0G7EZZaG...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56483

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts proto as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript in...

5CVSS5.9AI score0.00094EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56418

Name of the Vulnerable Software and Affected Versions Tanium Server affected versions not specified Description A denial of service issue exists in Tanium Server that can be exploited over the network without authentication, potentially leading to service disruption. Recommendations At the moment...

7.5CVSS6.1AI score0.00324EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56838

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago3 views

PT-2026-56835

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56844

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56846

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56848

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago3 views

PT-2026-56847

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56850

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56849

These are all security issues fixed in the libmbedtls23-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56607

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS6AI score0.00386EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56285

Name of the Vulnerable Software and Affected Versions WebPros Plesk versions prior to 18.0.78.4 Description Incorrect authorization in the XML-RPC API allows a low-privileged authenticated customer to look up domains they do not own. This occurs because ownership is enforced only for specific...

9.9CVSS6AI score0.00336EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56397

Name of the Vulnerable Software and Affected Versions Imager versions prior to 1.033 Description Imager for Perl incorrectly treats unsigned EXIF IFD Image File Directory entry counts as signed. When processing large entry count values, the software interprets them as negative numbers, which can...

9.8CVSS6.1AI score0.00394EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56454

In Adalo’s no-code app builder, Versions 1 and 2 the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing...

5.9AI score0.00303EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56535

A protection mechanism failure in the Code 27 Companion Hub allows an attacker with physical access to completely bypass kiosk restrictions via a factory reset...

6AI score0.00237EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago4 views

PT-2026-56573

Incorrect Authorization vulnerability in Progress MOVEit Transfer Audit User module. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...

2.7CVSS5.9AI score0.00196EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56571

Relative path traversal vulnerability in Progress MOVEit Transfer Admin Settings module. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...

4.5CVSS5.9AI score0.00365EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56572

Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer HTTPS module. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...

3.7CVSS5.9AI score0.00215EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56599

pcapng file parser crash in Wireshark 4.6.0 to 4.6.6 allows denial of service...

4.7CVSS5.9AI score0.00089EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56595

UMTS FP protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service...

5.5CVSS5.9AI score0.00218EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56586

Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 12.1.8 PAN-OS versions prior to 11.2.13 PAN-OS versions prior to 11.1.16 PAN-OS versions prior to 10.2.18-h8 Description A command injection issue exists in the management plane of the software, specifically within the...

8.5CVSS6.2AI score0.01101EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56597

SSH protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service...

5.5CVSS6AI score0.00097EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-56585

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from t...

3.5CVSS6AI score0.00187EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56538

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is...

5.9CVSS6AI score0.00252EPSS
Exploits0References4
Total number of security vulnerabilities184419