Lucene search
+L
PtsecurityRecent

187421 matches found

Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50486

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description A path traversal issue exists in the cache file serving endpoint '/cache/path:path' that allows authenticated users with the role of user or admin to read files from sibling directories outside th...

4.3CVSS5.9AI score0.00244EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50478

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An authorization bypass exists in the calendar event update process. The endpoint '/api/v1/calendars/events/event id/update' validates that the user has write access to the calendar where the even...

4.3CVSS5.9AI score0.00179EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50505

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

6CVSS5.3AI score0.00212EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.12 views

PT-2026-50447

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 default Supervised security policy can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: 1 is args safe block...

9.6CVSS6.7AI score0.00704EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50506

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Identity Spoofing.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3., from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

6.1CVSS5.3AI score0.00255EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.25 views

PT-2026-50606

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description An attacker with appropriate JSON:API write permissions could potentially inject a malicious payload in certain rare circumstances, leading to PHP Object Injection. PHP Object Injection...

6AI score0.00215EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50480

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An issue exists where the process picture url function in backend/open webui/utils/oauth.py performs URL validation only on the initial URL. Subsequently, it uses aiohttp.ClientSession.get without...

8.5CVSS5.8AI score0.00203EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50589

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The terminal-server reverse proxy in backend/open webui/routers/terminals.py fails to properly confine the user-controlled path segment before forwarding it to an admin-configured terminal server...

7.7CVSS5.9AI score0.00349EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50509

Out-of-bounds Read vulnerability in RTI Connext Professional Core Libraries allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3., from 5.0.0 before 5.2...

9.2CVSS5.3AI score0.002EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.35 views

PT-2026-50521

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.409 Description An authentication bypass exists in passkey registration endpoints. When HERMES WEBUI PASSKEY=1 is enabled and no credentials exist, unauthenticated remote attackers can register arbitrary...

9.1CVSS6.1AI score0.00579EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50360

Unauthenticated Privilege Escalation in Registration Form for WooCommerce = 1.0.9 versions...

9.8CVSS5.2AI score0.0045EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50391

Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...

8.8CVSS5.3AI score0.00482EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50432

Name of the Vulnerable Software and Affected Versions Dell PowerFlex Manager versions prior to 5.1.0.1 Dell PowerFlex Manager versions prior to 4.5.5.2 Description An improper authentication issue allows an unauthenticated attacker with adjacent network access to bypass authentication without...

8.1CVSS5.8AI score0.00216EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50612

Name of the Vulnerable Software and Affected Versions Drupal Plotly.js Graphing versions 0.0.0 through 3.0.2 Description Improperly controlled modification of dynamically-determined object attributes allows object injection. The module stores certain data as PHP-serialized strings, and if malicio...

6.1AI score0.00248EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50508

Name of the Vulnerable Software and Affected Versions RTI Connext Micro versions 4.0.0 through 4.2.0 Description An integer underflow wrap or wraparound in the Core Libraries can lead to buffer overreads. An integer underflow occurs when an arithmetic operation results in a value smaller than the...

9.1CVSS6.2AI score0.00296EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50602

Name of the Vulnerable Software and Affected Versions Avo affected versions not specified Description A missing authorization flaw in the association attach workflow allows authenticated low-privileged users to bypass access controls. While the user interface and the 'GET...

9.6CVSS5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50335

Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.9.1 versions...

7.1CVSS5.1AI score0.00175EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50326

Unauthenticated PHP Object Injection in AI Lab 5.4.2 versions...

9.8CVSS5.4AI score0.0051EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50331

Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.20 Description An SQL injection flaw exists in the Geo Mashup plugin, which allows users with subscriber privileges to execute unauthorized SQL commands. Recommendations Update to version 1.13.20 or later...

8.5CVSS6AI score0.00332EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50384

Unauthenticated SQL Injection in Advanced Ads – Tracking 3.0.7 versions...

9.3CVSS5.7AI score0.00383EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50312

Subscriber Broken Access Control in Bricks Builder = 2.1.4 versions...

4.3CVSS5.2AI score0.00243EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50599

Name of the Vulnerable Software and Affected Versions org.hl7.fhir.dstu2 affected versions not specified Description An incomplete patch in the org.hl7.fhir.dstu2 module allows an unauthenticated attacker to cause a Regular Expression Denial of Service ReDoS. While other modules were updated to...

7.5CVSS5.9AI score0.00354EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.28 views

PT-2026-50262

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue...

4.9CVSS5AI score0.00437EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50392

Unauthenticated Cross Site Scripting XSS in SweetDate Core 1.1.5 versions...

7.1CVSS5.1AI score0.0018EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50393

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...

7.3CVSS5.2AI score0.00178EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50595

Name of the Vulnerable Software and Affected Versions Daytona versions 0.101.0 through 0.184.0 Description A cross-tenant authorization flaw exists in the notification WebSocket gateway of the Daytona API service apps/api NestJS application. The JWT handshake joins a client-supplied organization...

6.5CVSS5.8AI score0.00275EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50407

Unauthenticated PHP Object Injection in Zoya = 1.4 versions...

8.1CVSS5.3AI score0.0025EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50582

Name of the Vulnerable Software and Affected Versions Drupal Formatter Field versions 0.0.0 through 2.0.0 Description Improperly controlled modification of dynamically-determined object attributes in the Formatter Field module allows for Object Injection. This occurs because the module stores dat...

6.1AI score0.00386EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50300

Unauthenticated Sensitive Data Exposure in Bricksforge = 3.1.8.4 versions...

7.5CVSS5.2AI score0.00303EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50422

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4...

6.5CVSS5.2AI score0.00261EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50493

Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 Description A race condition in the file write path of the credential storage implementation allows the auth.json file,...

2.2CVSS5.7AI score0.00074EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.24 views

PT-2026-50598

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.1 Description Unauthenticated users with network access can upload unlimited amounts of data to the server, which can lead to disk space exhaustion and a resulting denial-of-service. Additionally, the server...

9.3CVSS5.8AI score0.00332EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.24 views

PT-2026-50567

Name of the Vulnerable Software and Affected Versions Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0 Description When MySQL or PostgreSQL service bindings from VCAP SERVICES include TLS client credentials, the Connectors library writes these credentials to temporary files in...

4.7CVSS5.9AI score0.00065EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.15 views

PT-2026-50477

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The 'spreadsheet-import' endpoint axiosRequestMake could be used as a generic HTTP proxy. The endpoint was reachable without authentication, and its URL-extension allowlist used a regular expressi...

6.9CVSS6AI score0.00295EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50227

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing load more AJAX handler accepts a filtered query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However...

7.5CVSS5.7AI score0.00322EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50284

Unauthenticated Local File Inclusion in Right Way = 4.0 versions...

8.1CVSS5.2AI score0.00363EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.23 views

PT-2026-50236

Name of the Vulnerable Software and Affected Versions Package Manager affected versions not specified Description A missing permission check in Package Manager allows for a device lock controller bypass. This issue enables local escalation of privilege without requiring additional execution...

10CVSS5.5AI score0.00218EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50475

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description When NC SECURE ATTACHMENTS is set to true, an authenticated uploader can upload .html or .svg attachments that the browser renders inline from the NocoDB origin instead of forcing a download. This...

5.1CVSS5.7AI score0.00288EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50361

Unauthenticated SQL Injection in WP eMember v10.9.4 versions...

9.3CVSS5.8AI score0.00291EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.7 views

PT-2026-54551

Уязвимость модуля ngx http charset module веб-серверов NGINX Plus и NGINX Open Source связана с выходом операции за границы буфера в памяти. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации или вызвать отказ в...

4CVSS5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50275

Subscriber Arbitrary File Upload in PT Luxa Addons = 1.2.2 versions...

9.9CVSS5.2AI score0.00447EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.24 views

PT-2026-50325

Unauthenticated Cross Site Scripting XSS in Kapee 1.7.1 versions...

7.1CVSS5.2AI score0.0023EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.15 views

PT-2026-50604

Name of the Vulnerable Software and Affected Versions Capsule version 0.13.2 Description A typo in the webhook rules of the software causes a failure in the defense mechanism for the namespaces/finalize subresource. The configuration uses the singular namespace/finalize instead of the plural...

5.7CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.25 views

PT-2026-50222

In multiple functions of btm sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation...

5.6AI score0.00191EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50346

Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...

8.2CVSS5.2AI score0.00261EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.27 views

PT-2026-50608

Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The rebuild.php front controller, used to clear caches and rebuild the container when a site is in an unexpected condition, fails to correctly validate the Host header against trusted hos...

5.2AI score0.00206EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50298

Unauthenticated Arbitrary File Deletion in BookPro = 1.1.0 versions...

8.6CVSS5.2AI score0.0054EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.19 views

PT-2026-50294

Subscriber Broken Access Control in WishList Member X = 3.29.0 versions...

4.3CVSS5.2AI score0.00259EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.25 views

PT-2026-50231

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution...

10CVSS5.5AI score0.00123EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50345

Unauthenticated PHP Object Injection in JetEngine = 3.8.10 versions...

9.8CVSS5.3AI score0.00466EPSS
Exploits0References1
Total number of security vulnerabilities187421