Lucene search
K
PtsecurityRecent

184462 matches found

Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-56160

Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026...

7.5CVSS5.9AI score0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56165

Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Collect Data from Common Resource Locations. This issue affects Access Control System GKS: before Version 2...

8.2CVSS5.9AI score0.00198EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56163

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Stored XSS. This issue affects Access Control System GKS: before Version 2...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56154

Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3...

7.1CVSS6AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56156

Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files. This issue affects MicroRealEstate: through 1.0.0-alpha3...

7.1CVSS6AI score0.00361EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56152

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords OTP to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3...

8.8CVSS6AI score0.00342EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-56125

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00239EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-56142

An Incorrect Privilege Assignment CWE-266 vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587MR1, 9.40...

5.3CVSS5.9AI score0.00153EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56162

Improper neutralization of Script-Related HTML tags in a web page basic XSS vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows XSS Targeting HTML Attributes. This issue affects Access Control System GKS: before Version 2...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56161

Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026...

7.5CVSS5.9AI score0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56188

A critical IBM Power HMC vulnerability CVE-2026-12943 allows unauthenticated attackers to execute commands. Patch your systems immediately. IBMPowerHMC Vulnerability CyberSecurity CVE202612943 Infosec https://t.co/vq3sOqaB4q...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56126

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell...

8.8CVSS6AI score0.00403EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56261

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.15.0-beta4 Description The HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle. The remote reference resolver within this bundle fetches $ref URLs without...

7.7CVSS6.1AI score0.00238EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56262

Name of the Vulnerable Software and Affected Versions Hasura versions prior to 2.49.2 Hasura versions prior to 2.45.5 Description A flaw exists where a user can employ a where clause on a table computed field that returns SETOF some table to infer row values. This occurs even when those rows shou...

6CVSS6.1AI score0.0017EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56264

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to v4.15.0-beta5 Description Two file handlers fail to verify if a requested S3 object key belongs to the caller's team. Since S3 object keys are global within a bucket and only include the tenant ID as a path segment, a...

8.6CVSS6.1AI score0.00299EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56256

Name of the Vulnerable Software and Affected Versions FluxInk Color Management Driver versions 1.0.7.2 through 1.0.7.5 Description The Color Management Driver TcnPeripheral64.sys allows a standard user account to achieve local privilege escalation. This is possible through arbitrary physical memo...

8.4CVSS6.2AI score0.00101EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56257

Name of the Vulnerable Software and Affected Versions LocalAI affected versions not specified Description An unauthenticated server-side request forgery SSRF exists in the 'POST /models/apply' endpoint. This occurs because the endpoint passes unsanitized gallery URL fields to the...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago4 views

PT-2026-56303

Summary The public parser entrypoint ratex parser::parse&str panics on the 9-byte input verbéxé i.e. verb followed by the non-ASCII delimiter é. When handling a verb command, the parser slices the verbatim argument with byte indices arg1..arg.len - 1; if the delimiter character is multibyte UTF-8...

8.7CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56131

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Terminal websocket bootstrap routes only verify authentication but fail to enforce terminal authorization. This allows a low-privileged team member to connect to these routes and execute...

9.9CVSS6AI score0.00405EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56166

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description Information regarding this issue is limited to its discovery through AI-driven research workflows focused on Web3 security. Recommendations At the moment, there is no information about a newer...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago8 views

PT-2026-56143

Uncaught Exception CWE-248 in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: 9.50 prior to vCR9.50.260616a distributed in 9.50.1587MR1 9.40 prior to...

2.7CVSS6AI score0.00227EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago8 views

PT-2026-56144

Uncaught Exception CWE-248 in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: 9.50 prior t...

2.7CVSS6AI score0.00227EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56255

Name of the Vulnerable Software and Affected Versions Cognee versions prior to 1.2.0 Description Improper access control allows unauthenticated attackers to overwrite the global LLM provider configuration. By self-registering an account and calling the '/api/v1/settings' endpoint, which lacks adm...

9.3CVSS6.1AI score0.00372EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-56248

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description An issue exists in the H2 database JDBC URL validation logic where special Unicode characters can be used to bypass security checks. This occurs because the case-conversion behavior of these...

8.7CVSS6.2AI score0.00375EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56168

A flaw was found in GIMP's PSD parser. An integer overflow in read RLE channel can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or...

7.3CVSS6.2AI score0.00219EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 5 days ago4 views

PT-2026-56861

These are all security issues fixed in the libsuricata8 0 5-8.0.5-2.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56128

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an...

9.9CVSS5.9AI score0.00247EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56135

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description An authenticated user can inject additional shell statements that execute on the remote server during deployment. This occurs because pre-deployment and post-deployment commands are...

8.8CVSS6.1AI score0.00372EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56138

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint app/Http/Controllers/UploadController.php for database backup restore uploads did not enforce file type or size validation, allowing an authenticat...

3.1CVSS5.9AI score0.0025EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-56167

EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilities. Additionally, the low-quality RNG seed may affect the...

5.1CVSS5.9AI score0.00114EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56129

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by...

7.7CVSS5.9AI score0.00244EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56237

Name of the Vulnerable Software and Affected Versions Chevereto versions 3.7.5 through 4.5.3 Description An issue exists in the self-hosted media-sharing platform where the /json AJAX listing endpoint fails to enforce private profile restrictions. While the profile HTML route /username correctly...

6.9CVSS6.1AI score0.00249EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-57131

The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used. If you are required to interoperate with OpenPGP systems and need a maintained package, consider github.com/ProtonMail/go-crypto/openpgp which is a maintaine...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56182

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary...

6.1AI score0.00429EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56281

Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearb...

6AI score0.00373EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-56130

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources...

9.9CVSS6AI score0.00373EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56177

A bug in Apache Airflow's /ui/dependencies scheduling graph endpoint applied the caller's readable-Dag filter to the top-level serialized Dag key but still emitted referenced Dag IDs through the dep.source and dep.target fields of trigger / sensor dependency entries. An authenticated UI user with...

6AI score0.00636EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56146

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their...

6AI score0.00142EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56305

Summary Project.AddFile, Project.EditFile, Project.RemoveFile, and Project.Edit in cmd/server/api/project/handler.go accept a project or project-file row id from the JSON body and act on it without checking that the project belongs to the caller's namespace. The corresponding...

9.6CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56294

Summary Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware and GetOverview only checks lenuser.Roles 0, so it returns...

4.3CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago4 views

PT-2026-56295

Summary From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false library: openapi3.Loader.IsExternalRefsAllowed = false when loading a spec from a git revision the rev:path form, e.g. main:openapi.yaml. External $refs were resolved on that load path even when external ref...

6CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago4 views

PT-2026-56306

Click here to jump to the Simplified Chinese version 点击跳转到简体中文版本 Goploy System Arbitrary File Read Vulnerability Basic Information - Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal - Vulnerability Type: Path Traversal CWE-22 / Arbitrary File Read - Affected Product:...

7.7CVSS6.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56199

A logic vulnerability was found in GStreamer's webrtcbin component. The check sdp crypto function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An...

3.7CVSS6AI score0.0015EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56215

Name of the Vulnerable Software and Affected Versions Open Neural Network Exchange ONNX versions 1.9.0 through 1.21.0 Description Processing an untrusted model with an Upsample node containing zero inputs can lead to an unrecoverable denial of service. The issue occurs when the onnx.version...

5.5CVSS6AI score0.0017EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56159

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with ...

6.9CVSS6.1AI score0.00524EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56151

Name of the Vulnerable Software and Affected Versions Excelize versions prior to 2.11.0 Description The checkSheet function in the library uses an attacker-controlled XML attribute value directly as the length argument to makexlsxRow, row without validating it against the Excel row limit. A...

7.5CVSS6.1AI score0.00575EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-56478

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description On Unix systems, opening a file in an os.Root improperly follows symbolic links to locations outside of the Root. This occurs when the final path component of a...

7.8CVSS6AI score0.00181EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-56252

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.24 Description An authenticated user capable of creating or modifying chart definitions, or submitting chart data requests containing quota filters, can inject SQL into queries executed against configured...

8.7CVSS6.1AI score0.00266EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago8 views

PT-2026-56214

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description The email and WeChat account binding endpoints use GET requests for state-changing account operations. In deployments where session cookies are sent on cross-site navigations, an attacker ca...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56268

Name of the Vulnerable Software and Affected Versions mem0 affected versions not specified Description Unauthenticated config API endpoints expose LLM API keys in plaintext and enable server-side request forgery SSRF, a technique where an attacker induces the server to make requests to an...

9.3CVSS6.1AI score0.00259EPSS
Exploits0References8
Total number of security vulnerabilities184462