PT-2026-47978

Name of the Vulnerable Software and Affected Versions Windows Collaborative Translation Framework affected versions not specified Description Improper link resolution before file access, also known as link following, occurs within the Collaborative Translation Framework CTFMON. This issue allows ...

PT-2026-47859

Name of the Vulnerable Software and Affected Versions NETGEAR affected versions not specified Description Insufficient authentication and input validation allow users connected to the local network to execute commands, which can impact product confidentiality or allow the modification of certain...

PT-2026-48597

These are all security issues fixed in the libzypp-17.38.13-1.1 package on the GA media of openSUSE Tumbleweed...

PT-2026-47802

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

PT-2026-47952

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network...

PT-2026-47955

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network...

PT-2026-48032

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Improper neutralization of input during web page generation leads to cross-site scripting, which allows an authorized attacker to perform spoofing over a network. Cross-si...

PT-2026-47825

NVIDIA DALI contains a vulnerability in a component where an attacker could cause a heap-based buffer overflow. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure...

PT-2026-47838

Name of the Vulnerable Software and Affected Versions OpenSSL affected versions not specified Description The CMS decrypt and PKCS7 decrypt functions are susceptible to a Bleichenbacher-style attack, which is an adaptive-chosen-ciphertext side channel. This allows an attacker to use a vulnerable...

PT-2026-47941

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Improper limitation of a pathname to a restricted directory, known as path traversal, allows an authorized attacker to execute arbitrary code over a network and affect the...

PT-2026-47949

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network...

PT-2026-47951

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network...

PT-2026-48162

A NULL pointer dereference in the ctts box write function isomedia/box code base.c of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service DoS via supplying a crafted MP4 file...

PT-2026-47963

Name of the Vulnerable Software and Affected Versions Microsoft Office SharePoint affected versions not specified Description Improper neutralization of input during web page generation leads to cross-site scripting, which allows an authorized attacker to perform spoofing over a network. Cross-si...

PT-2026-47691

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions:...

PT-2026-47687

A cross-site scripting XSS vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS...

PT-2026-47779

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication...

PT-2026-48041

Name of the Vulnerable Software and Affected Versions Remote Desktop Client affected versions not specified Description A heap-based buffer overflow in the Remote Desktop Client allows an unauthorized attacker to execute arbitrary code over a network. A heap-based buffer overflow occurs when a...

PT-2026-47945

Name of the Vulnerable Software and Affected Versions Microsoft Office affected versions not specified Description A type confusion issue occurs when a resource is accessed using an incompatible type. This allows an unauthorized attacker to execute code locally within Microsoft Outlook and Word...

PT-2026-47876

Name of the Vulnerable Software and Affected Versions Windows Projected File System Filter Driver affected versions not specified Description A buffer over-read in the Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. A buffer over-read occur...

PT-2026-48228

Name of the Vulnerable Software and Affected Versions Substance3D - Sampler versions 6.0.0 and earlier Description An out-of-bounds write issue exists, which occurs when a program writes data past the end of the intended buffer. This can lead to arbitrary code execution within the context of the...

PT-2026-48277

Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

PT-2026-47868

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 on-premises allows an authorized attacker to elevate privileges over a network...

PT-2026-47679

Name of the Vulnerable Software and Affected Versions FastPicker versions prior to 1.0.3 Description The FastPicker plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the settingsPage function lacks proper nonce validation, which is a unique token used to verify th...

PT-2026-48525

Name of the Vulnerable Software and Affected Versions Zoom Contact Center for Windows versions prior to 7.0.0 Description Insufficient verification of data authenticity in the Remote Control feature may allow an authenticated user to achieve an escalation of privilege through local access...

PT-2026-47645

Name of the Vulnerable Software and Affected Versions Spring HATEOAS versions 1.5.0 through 1.5.6 Spring HATEOAS versions 2.3.0 through 2.3.4 Spring HATEOAS versions 2.4.0 through 2.4.1 Spring HATEOAS versions 2.5.0 through 2.5.2 Spring HATEOAS versions 3.0.0 through 3.0.3 Description Spring...

PT-2026-47882

Name of the Vulnerable Software and Affected Versions Windows Kerberos affected versions not specified Description A null pointer dereference in Windows Kerberos allows an authorized attacker to cause a denial of service over a network. A null pointer dereference occurs when a program attempts to...

PT-2026-47655

Name of the Vulnerable Software and Affected Versions Spring Framework versions 7.0.0 through 7.0.7 Spring Framework versions 6.2.0 through 6.2.18 Spring Framework versions 6.1.0 through 6.1.27 Spring Framework versions 5.3.0 through 5.3.48 Description A Spring MVC or Spring WebFlux application...

PT-2026-48235

21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. The autonomous agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP...

PT-2026-48219

Ellucian Banner Self-Service before the April T2 release 2025-04-23 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the...

PT-2026-47534

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Application Server ABAP and ABAP Platform affected versions not specified Description An authenticated attacker with normal privileges can obtain a valid signed message and send modified signed XML documents to the verifier. This...

PT-2026-48119

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.296 Description An authenticated attacker can bypass workspace boundary checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within the remote terminal workspace...

PT-2026-47869

Name of the Vulnerable Software and Affected Versions Visual Studio Code affected versions not specified Description Improper input validation allows an unauthorized attacker to elevate privileges over a network. Recommendations At the moment, there is no information about a newer version that...

PT-2026-48005

Name of the Vulnerable Software and Affected Versions Windows Hyper-V affected versions not specified Description An out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute arbitrary code locally or remotely, affecting the system. An out-of-bounds read occurs when a progr...

PT-2026-47866

Name of the Vulnerable Software and Affected Versions Adobe Experience Manager versions 6.5.24 and earlier Adobe Experience Manager versions LTS SP1 and earlier Adobe Experience Manager versions 2026.04 and earlier Description A DOM-based Cross-Site Scripting XSS issue allows an attacker to execu...

PT-2026-47968

Name of the Vulnerable Software and Affected Versions Microsoft Office Word affected versions not specified Description An untrusted pointer dereference allows an unauthorized attacker to execute code locally. Although the impact is remote, the payload executes on the local machine. Recommendatio...

PT-2026-47721

Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate...

PT-2026-47764

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitiv...

PT-2026-47772

Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Attackers can send GET requests with crafted SQL payloads in the albid parameter to extract sensitive...

PT-2026-47768

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payload...

PT-2026-47929

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally...

PT-2026-47846

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser...

PT-2026-47877

Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally...

PT-2026-47892

Name of the Vulnerable Software and Affected Versions Remote Desktop Client affected versions not specified Description A heap-based buffer overflow in the Remote Desktop Client allows an unauthorized attacker to execute arbitrary code over a network. This issue occurs when connecting to a...

PT-2026-47852

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod verto's check auth userauth branch wrote request-supplied userVariables into the...

PT-2026-47827

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

PT-2026-48145

Name of the Vulnerable Software and Affected Versions InCopy versions 21.3, 20.5.3 and earlier Description A heap-based buffer overflow occurs when a program writes more data to a heap-allocated memory block than it can hold. This issue can lead to arbitrary code execution in the context of the...

PT-2026-47924

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally...

PT-2026-48266

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can...

PT-2026-47688

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions...