Lucene search
+L
PtsecurityRecent

187518 matches found

Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60623

OpenClaw versions before 2026.5.27 contain a token leakage vulnerability in MS Teams outbound requests that allows lower-trust callers to expose Bot Framework tokens. Attackers can access configured input paths to retrieve credentials that should remain within the trusted boundary...

6.5CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60641

The Grav API plugin getgrav/grav-plugin-api before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created...

8.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60716

Improper Handling of Length Parameter Inconsistency CWE-130 vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of...

6.3CVSS6.6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60715

Unsigned to Signed Conversion Error CWE-196 vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory...

6.3CVSS6.6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60635

OpenClaw versions before 2026.5.18 contain an authorization bypass vulnerability in skill command dispatch that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can bypass tool policy restrictions through configured input paths to perform...

5.4CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago4 views

PT-2026-60808

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows SQL Injection. This issue affects GisLab Laboratory Management System: fr...

9.8CVSS5.6AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 21 hours ago4 views

PT-2026-60780

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse date. parse date matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.4AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 21 hours ago11 views

PT-2026-60740

A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used...

6.5CVSS5.3AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60752

HCL Aftermarket EPC is vulnerable to email flooding as the application does not have a proper mail limitation mechanism at Forget Password functionality. The actor could b e a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program...

5.3CVSS5.4AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60763

HCL Aftermarket EPC is vulnerable to attack as the application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain -Wildcard...

4.2CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60769

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60741

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60751

Insertion of sensitive information into sent data vulnerability in IKAS Technology Inc. E-Commerce allows Retrieve Embedded Sensitive Data. This issue affects E-Commerce: through 03062026...

7.5CVSS5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60772

A cross-site scripting XSS vulnerability in Proxmox Virtual Environment PVE 9.x 5.1.8 and Proxmox Virtual Environment PVE 8.x 4.3.16 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...

5.3AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60771

libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity XXE vulnerability...

5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60756

HCL Aftermarket EPC is affected by clickjacking vulnerability Cross-Frame Scripting is an attack technique where an attacker loads a vulnerable application in an iFrame on his malicious site. The attacker can then launch a Clickjacking attack, which may lead to Phishing, Cross-Site Request Forger...

4.3CVSS5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60773

A race condition between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment PVE 9.x pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4 allows an attacker wit...

5.3AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60774

Incorrect access control in Proxmox Virtual Environment PVE 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API...

5.3AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60790

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint syncapi/routing/context.go that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while...

5.3CVSS5.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago4 views

PT-2026-60762

HCL Aftermarket EPC is vulnerable since the application does not have a validation for HOST header and accepts arbitrary hosts when requested in http protocol. When an application doesn’t adequately validate or sanitize this header, it can lead to several security risks, including Host header...

4.3CVSS5.6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60777

SEPPmail Secure Email Gateway & SEPPmail Cloud before version 15.0.4.2 allows an attacker to replay & hijack a user session in the GINA web portal, as the session token is disclosed inside the URL and a HTTP header...

9.3CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago4 views

PT-2026-60789

Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers ca...

6.9CVSS5.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60761

HCL Aftermarket EPC is vulnerable to attack since the application returns detailed error messages that leak information about the processing on the server. An attacker may use the contents of error messages to help launch another ,more focused attack...

5.3CVSS5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60719

UNSUPPORTED WHEN ASSIGNED Exposed IOCTL with Insufficient Access Control in the ASUS AURA SYNC driver allows a local user to bypass the driver's verification and invoke arbitrary IOCTLs, resulting in privilege escalation. Refer to the 'End-of-Life Notice and Driver Update for Legacy ASUS Drivers ...

7.3CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60718

The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomatic call google ai function' function. This...

9.8CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60714

Improper Access Control vulnerability in the Removable Media Validation function of TXOne Networks products allows a local attacker with administrator privileges to bypass the file lockdown mechanism, resulting in unauthorized file transfer to the victim device. The attacker needs to deploy...

6.7CVSS6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60616

OpenClaw versions before 2026.6.9 contain a missing authorization vulnerability in Discord moderation actions. In affected versions, a lower-trust caller or configured input path could perform moderation actions that should have required a stronger authorization or policy check. Practical impact...

7.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60634

OpenClaw MS Teams before 2026.5.12 contain an authorization bypass vulnerability where the allowFrom feature binds to mutable display names. Attackers with lower-trust access can perform actions requiring stronger authorization by exploiting the mutable display name binding in the affected featur...

5.4CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60732

Improper Handling of Insufficient Privileges vulnerability in Apache Accumulo. An authenticated, but low-privileged user without system permissions may issue a remote command to gracefully shutdown system components compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver,...

5.7CVSS5.4AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60642

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60646

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago9 views

PT-2026-60710

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.2AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60628

OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can perform actions requiring stronger authorization by reaching the affected feature through configured...

8.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60713

HCL Traveler for Microsoft Outlook HTMO is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content...

6.5CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago9 views

PT-2026-60629

OpenClaw 2026.2.12 before 2026.5.26 contain an authorization bypass vulnerability in the hooks allowedAgentIds validation. A lower-trust caller or configured input path can bypass agent ID restrictions by submitting blank agent IDs, allowing actions that should require stronger authorization or...

7.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60720

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60704

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6.2AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60735

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin. When the mpp Elixir library is configured as fee payer fee payer: true,...

8.3CVSS5.5AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60711

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete...

4.9CVSS6.2AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 21 hours ago12 views

PT-2026-60612

OpenClaw versions before 2026.6.6 contain a network policy bypass vulnerability in the sandbox exec-server that allows lower-trust callers to reach internal network destinations blocked by OpenClaw policy. Attackers can send HTTP requests through the exec-server to access network resources that...

7.7CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60627

OpenClaw 2026.5.14-beta.1 before 2026.5.27 contain an authorization flaw in the QQBot exec approvals feature. When the feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, allowing...

8.8CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60679

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-fie...

9.8CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60644

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to...

8.4CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60633

OpenClaw before 2026.5.18 contain an authorization bypass vulnerability in the device-pair approval feature that allows lower-trust callers to execute actions beyond their intended authorization. Attackers can exploit misconfigured input paths to execute or persist unauthorized actions when the...

8.8CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago7 views

PT-2026-60650

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route JwtAuthenticator::extractBearerToken fallback. Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via th...

8.2CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago9 views

PT-2026-60645

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create...

6.3CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago8 views

PT-2026-60617

OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authorization by exploiting insufficient policy checks on configured input paths...

8.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago5 views

PT-2026-60721

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago6 views

PT-2026-60615

OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path can perform actions that should have required a stronger...

7.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 21 hours ago9 views

PT-2026-60724

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

6.1AI score
Exploits0References2
Total number of security vulnerabilities187518