Lucene search
+L
PtsecurityRecent

187424 matches found

Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•16 views

PT-2026-50556

Name of the Vulnerable Software and Affected Versions Steeltoe.Management.Endpoint versions prior to 4.2.0 Steeltoe.Management.EndpointCore versions prior to 3.4.0 Description The Sanitizer component in the Environment actuator redacts configuration values by matching key names against a suffix...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•27 views

PT-2026-50367

Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8...

8.3CVSS5.2AI score0.00293EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50369

Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iPages Flipbook: from n/a through 1.5.1...

5.3CVSS5.2AI score0.00249EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•20 views

PT-2026-50584

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Description Authenticated self routes under the /api/v1/user/... group do not properly enforce the public-only token restriction. This allows a token or OAuth grant marked as public-only to access or modify priva...

8.1CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50244

Name of the Vulnerable Software and Affected Versions LearnPress versions prior to 4.3.7 Description An information disclosure issue exists where the edit context on a REST endpoint is not properly restricted by the edit users capability. This allows unauthenticated visitors to retrieve sensitive...

5.3CVSS5.8AI score0.00424EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•16 views

PT-2026-50559

In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash...

5.5AI score0.00278EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•25 views

PT-2026-50363

Name of the Vulnerable Software and Affected Versions WP Media folder Addon versions prior to 4.0.2 Description An unauthenticated arbitrary file download issue exists in the software, allowing an attacker to download files without providing credentials. Recommendations Update to version 4.0.2 or...

7.5CVSS6AI score0.00467EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•24 views

PT-2026-50370

Cross-Site request forgery CSRF vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0...

4.3CVSS5.2AI score0.00127EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50302

Unauthenticated PHP Object Injection in Zermatt = 1.6.1 versions...

8.1CVSS5.4AI score0.00395EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•43 views

PT-2026-50518

Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0 Description A DNS rebinding issue in WebSocket endpoints allows remote attackers to bypass Host and Origin validation. This occurs because FastAPI HTTP middleware does not execute for WebSocket upgrade...

8.7CVSS6AI score0.006EPSS
Exploits0References15
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•25 views

PT-2026-50610

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The JSON:API and REST modules allow image file uploads to image fields. The validation rules verify the file extension but fail to check the file MIME type Multipurpose Internet Mail...

4.8AI score0.00133EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•23 views

PT-2026-50611

Name of the Vulnerable Software and Affected Versions Flag attendance field versions 0.0.0 through 1.2 Description An Object Injection issue exists in the Flag attendance field module due to the improper control of modification of dynamically-determined object attributes. The module stores data a...

6.1AI score0.00307EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50237

A Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 could allow an attacker to write arbitrary files on the server...

9.8CVSS5.5AI score0.0038EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•14 views

PT-2026-50406

Unauthenticated PHP Object Injection in Manufaktur Solutions = 1.1.1 versions...

8.1CVSS5.3AI score0.00308EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•20 views

PT-2026-50403

Unauthenticated Cross Site Scripting XSS in Royal Elementor Addons Pro 1.7.1041 versions...

7.1CVSS5.1AI score0.00175EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•18 views

PT-2026-50427

Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning...

6.5CVSS5.3AI score0.00124EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•20 views

PT-2026-50358

Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...

8.8CVSS5.2AI score0.00389EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50437

Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager version 4.6.0.1 Description Use of a broken or risky cryptographic algorithm allows an unauthenticated attacker with remote access to potentially cause information disclosure and information tampering. Recommendations At...

4.8CVSS5.9AI score0.001EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•20 views

PT-2026-50352

Unauthenticated Cross Site Scripting XSS in Popup box = 6.2.9 versions...

7.1CVSS5.1AI score0.00192EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•15 views

PT-2026-50428

Name of the Vulnerable Software and Affected Versions Plane CE version 1.3.1 Description A low-privileged project member can submit arbitrary HTML and JavaScript via the description html field. This occurs when creating an intake work item through the 'API v1 intake' endpoint. Recommendations At...

6.9CVSS5.9AI score0.00165EPSS
Exploits1References5
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50264

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...

5.3AI score0.00433EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50394

Name of the Vulnerable Software and Affected Versions Zephyr versions 1.7 through 4.4.0 Description The Bluetooth Classic Hands-Free Profile HFP Hands-Free role parser in subsys/bluetooth/host/classic/hfp hf.c contains an out-of-bounds write. During Service Level Connection setup, the Hands-Free ...

7.1CVSS5.8AI score0.00282EPSS
Exploits1References6
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•16 views

PT-2026-50504

Name of the Vulnerable Software and Affected Versions RTI Connext Professional versions 6.1.0 through 6.1.x RTI Connext Professional versions 7.0.0 through 7.3.1.2 RTI Connext Professional versions 7.4.0 through 7.6.x Description An out-of-bounds write issue exists within the Queueing Service, Co...

8.1CVSS6.2AI score0.0018EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•14 views

PT-2026-53072

A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement. Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended a...

4.2CVSS5.7AI score
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•10 views

PT-2026-53070

Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...

8.9CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•7 views

PT-2026-53074

This update for xwayland fixes the following issues: - CreateSaverWindow Use-After-Free Information Disclosure. bsc1266301 - Font Alias Stack-based Buffer Overflow. bsc1266294 - GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write. bsc1266300 - XKB Key Types Stack-based Buffer Overflow. bsc12662...

5.8AI score
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50186

Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List DACLs on the service object and related registry keys,. Produc...

6.8CVSS5.3AI score0.00143EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50484

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI allows users with permissions to create, update, or import workspace models to store arbitrary meta.knowledge entries without verifying ownership or read access to the referenced files...

7.1CVSS6AI score0.00198EPSS
Exploits1References13
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•13 views

PT-2026-50482

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authenticated user can attach arbitrary file id values to their own chat messages because the system fails to verify if the user owns or has read access to those files. By sharing the chat and...

8.3CVSS6AI score0.00241EPSS
Exploits1References14
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•13 views

PT-2026-50485

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI contains a stored Cross-Site Scripting XSS issue where the platform fails to validate profile images for models. While similar issues were patched for user and webhook profile images, t...

7.6CVSS5.9AI score0.00174EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•16 views

PT-2026-50590

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The SafePlaywrightURLLoader uses a validate url function to prevent Server-Side Request Forgery SSRF by checking the IP address of a user-provided URL. However, this validation only occurs for the...

7.7CVSS5.9AI score0.00287EPSS
Exploits1References10
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•24 views

PT-2026-50592

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Several direct, index-addressed Ollama proxy routes allow authenticated users to bypass backend isolation. The system accepts a caller-supplied url idx path parameter and uses it as a raw index in...

6.3CVSS5.9AI score0.0021EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50562

Name of the Vulnerable Software and Affected Versions github workflows affected versions not specified Description The github workflows module constructs local directory paths using repository names provided by the user without validating for symlinks. A local attacker with access to the scan...

2.2CVSS5.2AI score0.00091EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•37 views

PT-2026-50560

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The unarchive internal module's archive extraction commands lack code-level validation for extracted file paths. This causes the module to rely on the behavior o...

5.3CVSS5.2AI score0.00208EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50561

Name of the Vulnerable Software and Affected Versions bbot affected versions not specified Description The docker pull module fails to validate the realm parameter received from a Docker registry's WWW-Authenticate response header when using it as the authentication endpoint. A man-in-the-middle...

3.1CVSS5.4AI score0.00167EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50593

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11 Description An authorization bypass exists in the ydoc:document:join Socket.IO handler. The handler only performs ownership checks when the document id variable starts with the prefix note: colon. However, t...

5.3CVSS5.9AI score0.00268EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50557

Name of the Vulnerable Software and Affected Versions marimo versions prior to 0.23.9 Description A reflected cross-site scripting issue exists in the notebook page. Unauthenticated attackers can inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query...

6.1CVSS5.1AI score0.00239EPSS
Exploits0References14
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50563

Name of the Vulnerable Software and Affected Versions Postman Download Module affected versions not specified Description The postman download module fails to sanitize the workspace name field retrieved from the Postman API when constructing local directory paths. A malicious workspace name...

6.5CVSS5.3AI score0.00251EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•16 views

PT-2026-50519

Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0 Description The software creates response store.db and webhook subscriptions.json files with world-readable permissions mode 0o644. This configuration allows local users with filesystem access to read thes...

6.8CVSS6.1AI score0.00108EPSS
Exploits0References14
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50481

Name of the Vulnerable Software and Affected Versions Open-webui affected versions not specified Description An authenticated user can access files belonging to other users by exploiting a lack of ownership verification in the image processing path. When the POST endpoint "/api/chat/completions"...

6.5CVSS5.9AI score0.00225EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50479

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The chat message listener in the chat page's window message listener processes input:prompt and action:submit messages without enforcing same-origin restrictions. This allows an external site to s...

7.1CVSS5.8AI score0.00162EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•24 views

PT-2026-50472

Name of the Vulnerable Software and Affected Versions vLLM versions 0.5.5 through 0.23.1rc0 Description Integer truncation of tensor dimensions in GGUF dequantize kernels within csrc/quantization/gguf/gguf kernel.cu leads to partial tensor processing. The output tensor is allocated at full size...

7.5CVSS5.8AI score0.00281EPSS
Exploits0References15
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•28 views

PT-2026-50488

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description Open WebUI contains a Broken Object Level Authorization BOLA issue in the builtin search knowledge files function. BOLA occurs when an application does not properly verify if a user has permission...

4.3CVSS6AI score0.00226EPSS
Exploits1References10
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•21 views

PT-2026-50478

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authorization bypass exists in the calendar event update process. The endpoint '/api/v1/calendars/events/event id/update' validates that the user has write access to the calendar where the even...

4.3CVSS5.9AI score0.00179EPSS
Exploits1References11
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•19 views

PT-2026-50505

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

6CVSS5.3AI score0.00212EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•12 views

PT-2026-50447

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 default Supervised security policy can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: 1 is args safe block...

9.6CVSS6.7AI score0.00704EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•14 views

PT-2026-50506

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Identity Spoofing.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3., from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

6.1CVSS5.3AI score0.00255EPSS
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•25 views

PT-2026-50606

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description An attacker with appropriate JSON:API write permissions could potentially inject a malicious payload in certain rare circumstances, leading to PHP Object Injection. PHP Object Injection...

6AI score0.00215EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•20 views

PT-2026-50480

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An issue exists where the process picture url function in backend/open webui/utils/oauth.py performs URL validation only on the initial URL. Subsequently, it uses aiohttp.ClientSession.get without...

8.5CVSS5.8AI score0.00203EPSS
Exploits1References12
Positive Technologies
Positive Technologies
•added 2026/06/17 12:0 a.m.•22 views

PT-2026-50589

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The terminal-server reverse proxy in backend/open webui/routers/terminals.py fails to properly confine the user-controlled path segment before forwarding it to an admin-configured terminal server...

7.7CVSS5.9AI score0.00349EPSS
Exploits0References15
Total number of security vulnerabilities187424