187424 matches found
PT-2026-50260
Incorrect Authorization vulnerability of /v2 experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...
PT-2026-50291
Unauthenticated SQL Injection in WPJobster = 6.3.5 versions...
PT-2026-50398
Unauthenticated PHP Object Injection in Konsept = 1.9 versions...
PT-2026-50228
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...
PT-2026-50277
Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site = 1.0.7 versions...
PT-2026-53080
Root has patched GHSA-wjpw-4j6x-6rwh in the io.root.org.eclipse.jetty:jetty-http package for Root:Maven. Multiple fixed versions available...
PT-2026-53075
This update for helm rebuilds it against the current go security release...
PT-2026-50269
Unauthenticated Local File Inclusion in Neuronet 1.14.0 versions...
PT-2026-50288
Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate 6.7.7 versions...
PT-2026-50343
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget = 4.2.3 versions...
PT-2026-50473
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The 'spreadsheet-fetch' endpoint, specifically within the axiosRequestMake function, improperly validated URLs. It accepted paths containing permitted extensions anywhere in the string and utilize...
PT-2026-50283
Unauthenticated Cross Site Scripting XSS in Skillate = 1.2.10 versions...
PT-2026-50417
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10...
PT-2026-50524
Name of the Vulnerable Software and Affected Versions Devolutions UniGetUI versions prior to 2026.2.1 Description The pinget backend contains an issue where names or references are incorrectly resolved. This allows a WinGet community catalog contributor to correlate an installed application with ...
PT-2026-50377
Improper handling of HTTP headers that allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses, potentially leading to limited information disclosure or compromising...
PT-2026-50548
REDMOND, WA -- In a bold move to streamline its communications and bypass the traditional tech press altogether, Microsoft announced Tuesday that all future Windows updates and software features will be unveiled exclusively via their corresponding Common Vulnerabilities and Exposures CVE numbers...
PT-2026-50529
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download dir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...
PT-2026-50366
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal. This issue affects Conversational Forms for ChatBot: from n/a through 1.1.8...
PT-2026-50554
Name of the Vulnerable Software and Affected Versions Steeltoe versions 3.2.2 through 3.3.0 Steeltoe version 4.1.0 Description Steeltoe is an open source project providing libraries for building cloud-native applications. An issue exists where management endpoints, when configured to listen on an...
PT-2026-50583
Name of the Vulnerable Software and Affected Versions Gitea version 1.23 Description An authorization inconsistency exists between the web UI and the API regarding repository forking. The API endpoint POST /api/v1/repos/owner/repo/forks fails to verify the CanCreateOrgRepo permission, checking on...
PT-2026-52216
Name of the Vulnerable Software and Affected Versions Gitea Docker image versions prior to 1.26.3 Description A critical authentication bypass exists in the official Gitea Docker image due to an insecure default configuration in the app.ini file. The variable REVERSE PROXY TRUSTED PROXIES is set ...
PT-2026-50289
Unauthenticated Local File Inclusion in EcoBlue = 1.15 versions...
PT-2026-50540
Impact Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature. When the watchedNamespace field is used within the Topic or User operator as part of the Kafka.spec.entityOperator field, the Cluster Operator...
PT-2026-50494
Name of the Vulnerable Software and Affected Versions @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 @mariozechner/pi-coding-agent versions 0.50.0 through 0.73.1 Description Pi is a minimal terminal coding harness that used predictable paths under the operating system temporary...
PT-2026-50585
Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An open redirect exists due to improper validation within the urlIsRelative function in modules/httplib/url.go. An attacker can bypass this validation by using directory traversal sequences...
PT-2026-50502
Name of the Vulnerable Software and Affected Versions Splunk AI Toolkit versions prior to 5.7.4 Description A user with the "admin" Splunk role can execute arbitrary OS commands on the host running the Splunk Enterprise instance. This is caused by an unsafe shell execution pattern in the btool...
PT-2026-50395
Unauthenticated PHP Object Injection in PressMart = 1.2.26 versions...
PT-2026-50610
Name of the Vulnerable Software and Affected Versions Drupal core affected versions not specified Description The JSON:API and REST modules allow image file uploads to image fields. The validation rules verify the file extension but fail to check the file MIME type Multipurpose Internet Mail...
PT-2026-50378
Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited...
PT-2026-50337
Unauthenticated SQL Injection in JetEngine = 3.8.9.1 versions...
PT-2026-50382
Stored cross-site scripting XSS in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw...
PT-2026-50286
Unauthenticated SQL Injection in Tutor LMS Pro = 3.9.6 versions...
PT-2026-50510
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform': make att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes...
PT-2026-50383
Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...
PT-2026-50386
Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9...
PT-2026-50462
Name of the Vulnerable Software and Affected Versions Dell AIOps Collector versions prior to 1.18.3 Description Fresh installations of the software contain an issue where default credentials are used. A low privileged attacker with console access could potentially exploit this to gain filesystem...
PT-2026-50401
Unauthenticated PHP Object Injection in SingleMalt = 1.5 versions...
PT-2026-50532
Name of the Vulnerable Software and Affected Versions Punto Switcher affected versions not specified Description An unquoted-path flaw allows the execution of attacker-placed code at the user's privilege level. This issue occurs during a call made by a signed Windows binary at launch, enabling...
PT-2026-50425
A stack-based buffer overflow exists in the raw to header function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width...
PT-2026-50564
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0 Steeltoe affected versions not specified Description TypeBot contains an Insecure Direct Object Reference IDOR issue—a flaw where an application provides direct access to objects based on user-supplied...
PT-2026-50414
Name of the Vulnerable Software and Affected Versions Fusion Builder versions prior to 3.15.5 Description A path traversal issue allows users with the Contributor role to delete arbitrary files on the server. Recommendations Limit user roles as a temporary mitigation measure. At the moment, there...
PT-2026-50558
In SignalRGB versions prior to 1.3.7.0, the .SignalIo device object is created without an explicit SDDL security descriptor and without FILE DEVICE SECURE OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and iss...
PT-2026-50259
Name of the Vulnerable Software and Affected Versions Apache DolphinScheduler versions prior to 3.4.2 Description A missing authorization check in the DataSource API allows unauthenticated users to expose arbitrary data source metadata. This occurs because the API does not require a login to acce...
PT-2026-50295
Subscriber Broken Access Control in MetForm Pro = 3.9.1 versions...
PT-2026-50550
Name of the Vulnerable Software and Affected Versions CakePHP versions prior to 4.5.11 CakePHP versions 4.6.0 through 4.6.3 CakePHP versions 5.0.0 through 5.1.6 CakePHP versions 5.2.0 through 5.2.12 CakePHP versions 5.3.0 through 5.3.5 Description The getElementFileName function in the View class...
PT-2026-50495
Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.21 Traefik versions prior to 3.7.5 Description An issue exists in the Kubernetes Gateway provider regarding the crossProviderNamespaces allowlist. When HTTPRoute rules declare multiple backendRefs Weighted Round...
PT-2026-50597
Name of the Vulnerable Software and Affected Versions Filament versions 3.0.0 through 3.3.52 Description A disabled RichEditor field renders its raw state without sanitizing HTML. If the data stored in the field's state was not previously sanitized when the form state was filled, an attacker can...
PT-2026-50220
A path traversal in the SFTP provider SFTPHook.retrieve directory / SFTPOperatoroperation=get let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is...
PT-2026-50328
Unauthenticated Broken Authentication in PowerPack Pro for Elementor v2.13.0 versions...
PT-2026-50458
Name of the Vulnerable Software and Affected Versions Autodesk Revit affected versions not specified Description A NULL Pointer Dereference occurs when the application attempts to read a memory address that is NULL, typically resulting in a crash. This issue is triggered when a maliciously crafte...