Lucene search
+L
PtsecurityRecent

187643 matches found

Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60920

The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS5.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60970

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools invoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...

6.5CVSS5.1AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60968

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec approval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be...

6.5CVSS6.2AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 19 hours ago11 views

PT-2026-60919

A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.get chat sessions of the file astrbot/dashboard/routes/open api.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It ...

5.3CVSS4.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60966

OpenPLC v3 contains a heap-based buffer overflow in the getData function in webserver/core/modbus master.cpp. getData reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig the function is invoked with the 100-byte...

8.8CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60969

A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the function extractBin/RequestApproval/matchesAllowlist of the file internal/tools/exec approval.go. The manipulation results in incorrect authorization. The exploit has been released t...

4.8CVSS4.8AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60971

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web shared.go of the component web fetch. Such manipulation leads to server-side request forgery. The attack can be launched...

6.5CVSS4.9AI score
Exploits0References10
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60953

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60946

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw type function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges...

9CVSS5.6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago6 views

PT-2026-60967

The urwid web display backend urwid/display/web.py generates web session identifiers urwid id in Screen.start by concatenating two random.randrange109 calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and...

9.2CVSS6AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60928

VMware Avi Load Balancer contains an authorization bypass vulnerability. A malicious actor on the network can access a limited subset of the Avi Control Plane without proper authorization. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6...

8.3CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60922

A vulnerability was found in AstrBotDevs AstrBot up to 4.25.5. Impacted is the function normalize rw path of the file astrbot/core/tools/computer tools/fs.py of the component Filesystem Computer-Use Tool. Performing a manipulation results in link following. The attack is only possible with local...

5.3CVSS5.3AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago6 views

PT-2026-60941

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error...

7.1CVSS5.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago6 views

PT-2026-60929

VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious user with network access may be able to access the Avi Control plane and execute code remotely. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6 fixed in...

8.7CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60930

VMware Avi Load Balancer contains a local privilege escalation vulnerability. A malicious user with local access may be able to escalate their privileges to run code as root. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6 fixed in 30.2.7...

7.8CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 19 hours ago7 views

PT-2026-60921

A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chat send of the file astrbot/dashboard/routes/open api.py of the component API. Such manipulation of the argument Username leads to authentication bypass by spoofing. It is possible t...

6.5CVSS6.2AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60950

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server...

7.1CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60955

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and...

2.3CVSS5.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60965

uproot dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields for example, streamer element names are interpolated into the generated Python source without safe quoting via repr or the !r...

8.5CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60936

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60943

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists, allowin...

6.3CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60940

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in the sorting mechanism when using ORDER BY rand clause. Authorized clients can execute queries with ORDER BY rand to trigger a panic in the sorting function, crashing the server...

7.1CVSS5.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60961

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...

10CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago7 views

PT-2026-60957

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled via --allow-scripting or --allow-all. An authenticated attacker can submit long-running...

2.3CVSS5.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60963

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/exec approval.go. Executing a manipulation can lead to incorrectly-resolved name. The attack may be performed from remote. The exploit ha...

6.5CVSS6.1AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60951

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60947

SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function argument...

7.1CVSS5.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60949

SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service...

7.1CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago7 views

PT-2026-60944

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit malformed queries that trigger a panic in the span rendering code, crashing the server and causing...

7.1CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60954

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion...

6CVSS5.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago6 views

PT-2026-60937

SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...

2.3CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60962

A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file internal/tools/exec approval.go of the component WebSocket Approval Endpoint. Performing a manipulation results in incorrect authorization. The attack is possible to be carried...

6.5CVSS6.1AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60960

Impact: @fastify/http-proxy versions from 9.4.0 up to and including 11.5.0 fail to validate the resolved WebSocket destination path against the configured rewrite prefix. The WebSocket routing path in WebSocketProxy.findUpstream resolves the destination via the WHATWG URL constructor, which...

8.7CVSS5.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60964

Uncontrolled Resource Consumption vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.1.13, from 10.0.0 through 10.1.2. Users are recommended to upgrade to version 9.1.14 or 10.1.3, which fixes the issue...

5.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago6 views

PT-2026-60948

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server...

8.7CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60927

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has be...

5.3CVSS5.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 19 hours ago7 views

PT-2026-60926

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and...

7.5CVSS6.9AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60932

A flaw has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affected by this issue is the function setup conntrack of the file /sbin/rc. Executing a manipulation of the argument ct tcp timeout can lead to out-of-bounds write. The attack may be performed from remote. This project is...

9CVSS7.5AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60931

A vulnerability was detected in halo-dev halo up to 2.24.2. Affected by this vulnerability is the function Download of the file MigrationEndpoint.java of the component Files Backup Endpoint. Performing a manipulation results in path traversal. The attack is possible to be carried out remotely. Th...

5.8CVSS4.9AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60934

A vulnerability was found in Shibby Tomato 1.28. This vulnerability affects the function sub 42537C of the component Scheduler Name Handler. The manipulation of the argument a1 results in stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by...

9CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60935

Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URL...

8.7CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60924

A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is public...

5.3CVSS5.4AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60923

A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be...

5.3CVSS4.5AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60925

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The...

6.9CVSS5.5AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60959

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to acce...

5.8CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60942

SurrealDB before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted...

8.8CVSS5.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago5 views

PT-2026-60956

SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated attacker can craft a malicious query to exhaust server memory through unbounded string allocations,...

7.1CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago4 views

PT-2026-60939

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owner users to define users with nonexistent roles. Attackers can trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server...

6.9CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago3 views

PT-2026-60952

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instan...

7.1CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 19 hours ago7 views

PT-2026-60945

SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed queries invoking nonexistent functions to trigger a panic that crashes the server...

7.1CVSS5.3AI score
Exploits0References3
Total number of security vulnerabilities187643