PT-2026-49609

Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges...

PT-2026-49620

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action remove abandoned function, which is registered to both the wp ajax...

PT-2026-49608

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

PT-2026-49635

Unauthenticated Broken Access Control in JupiterX Core = 4.14.1 versions...

PT-2026-49612

Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges...

PT-2026-49603

A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90ABTQ.1C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request...

PT-2026-49623

Happy to share that I recently discovered and responsibly reported security vulnerabilities in OpenKM Document Management System v6.3.12. These issues have now been assigned the following CVE IDs: CVE-2026-30502 CVE-2026-30503 CyberSecurity CVE SecurityResearch dharmstm https://t.co/Zge3oCAHeT...

PT-2026-49626

CVE-2026-54597 CVE-2026-54597 — ITFlow Time-Based Blind SQL Injection Severity https://t.co/MxucGEOnYZ...

PT-2026-49624

Happy to share that I recently discovered and responsibly reported security vulnerabilities in OpenKM Document Management System v6.3.12. These issues have now been assigned the following CVE IDs: CVE-2026-30502 CVE-2026-30503 CyberSecurity CVE SecurityResearch dharmstm https://t.co/Zge3oCAHeT...

PT-2026-49611

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static block content shortcode handler retrieving a post via get post using an attacker-supplied 'id' attribute and outputting its post content...

PT-2026-49610

On Xtensa targets with CONFIG USERSPACE and CONFIG XTENSA MMU, the page-table code arch/xtensa/core/ptables.c maintains a global list, xtensa domain list, of active memory domains using a list node embedded inside the caller-owned struct k mem domain. When a domain is destroyed via k mem domain...

PT-2026-49627

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs' parameter of the wpfb find reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $ POST'curselrevs' raw with no sanitization or type casting, then...

PT-2026-49621

Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege...

PT-2026-49648

Unauthenticated Sensitive Data Exposure in GetGenie = 4.4.1 versions...

PT-2026-49647

Unauthenticated Cross Site Scripting XSS in Pods = 3.3.8 versions...

PT-2026-49693

Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12...

PT-2026-49634

Unauthenticated Cross Site Scripting XSS in Min Max Step Quantity Limits Manager for WooCommerce = 5.2.2 versions...

PT-2026-49633

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax pay for order function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order key verification when...

PT-2026-49640

Improper Control of Generation of Code 'Code Injection' vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0...

PT-2026-49622

The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2026-49662

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152...

PT-2026-49667

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12...

PT-2026-49674

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12...

PT-2026-49663

Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...

PT-2026-49697

Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This...

PT-2026-49650

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

PT-2026-49639

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2...

PT-2026-49618

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the...

PT-2026-49664

Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...

PT-2026-49659

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...

PT-2026-49689

Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152...

PT-2026-49694

Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...

PT-2026-49646

Unauthenticated Broken Access Control in Envira Photo Gallery = 1.12.5 versions...

PT-2026-49654

A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the "Server location" parameter on the Basic settings page. An attacker could exploit...

PT-2026-49657

A heap buffer overflow vulnerability exists in the Jansi JNI "ioctl" wrapper due to a lack of size verification for the argument array before the system call. This can lead to heap corruption and application crashes DoS. All versions are believed to be vulnerable. This project is unmaintained at...

PT-2026-49655

syracom AG Secure Login 2FA for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containi...

PT-2026-49690

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152...

PT-2026-49632

A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot...

PT-2026-49644

Unauthenticated SQL Injection in GEO my WordPress = 4.5.5 versions...

PT-2026-49638

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1...

PT-2026-49631

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.12 versions...

PT-2026-49665

Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12...

PT-2026-49645

Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise...

PT-2026-49625

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf pedit act computes the COW range for skb ensure writable once before the key loop using tcfp off max hint, but the hint does not account for the runtime header...

PT-2026-49695

Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152...

PT-2026-49613

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get submission content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

PT-2026-49668

JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...

PT-2026-49687

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152...

PT-2026-49673

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12...

PT-2026-49660

Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37...