Lucene search
K
PtsecurityRecent

184377 matches found

Positive Technologies
Positive Technologies
added 18 hours ago7 views

PT-2026-57390

The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload only...

8.8CVSS6.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago7 views

PT-2026-57409

The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS6.2AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57416

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...

8.8CVSS6.1AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57421

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS6.1AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57412

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57452

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57470

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57467

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57464

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago7 views

PT-2026-57425

The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE...

10CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57453

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57459

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57450

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57426

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE...

9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57449

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57460

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57473

A heads up that there are a ton of CVEs being patched for July 2026 June was also high. So many that they released the "hot fix" patches in June and still have not updated the Android Patch notes. Could just be 4th of July holiday, but they are an international firm. No previous delays as long...

8.4CVSS7.4AI score0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57406

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm product archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score
Exploits0References13
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57375

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members filter protected posts for rest. This makes it possible for unauthenticated attackers to extract determine the...

5.3CVSS6.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57431

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57445

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process...

4.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57437

PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. Attackers can submit single-vector prompt injection attacks such as instruction overrides or financi...

8.7CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57444

ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57440

PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent. execute python that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement. Attackers can influence LLM output through prompt injection to exfiltrate all environmen...

10CVSS6.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57441

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57432

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outside secret.txt or absolute paths in project command files to exfiltrate process-readable...

6.8CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57427

Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. Attackers can exploit the divergence between the plugin hot-path plan valid expression and th...

5.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57433

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create collection backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value declared as int but not enforced at runtime is...

9.8CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57429

Capgo before 12.128.2 contains an information disclosure vulnerability in the find apikey by value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find apikey by value endpoint to retrieve sensitive...

8.7CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57443

ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply a crafted image that causes ImageMagick to allocate more memory than permitted by the configured policy, resulting in a denial of...

4.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago3 views

PT-2026-57439

PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls. Attackers can inject malicious prompts through the chat interface to write files to arbitrary filesystem...

9.9CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago4 views

PT-2026-57442

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window. GRAV CONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57408

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...

4.4CVSS6.2AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57415

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 18 hours ago8 views

PT-2026-57401

The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS6AI score
Exploits0References12
Positive Technologies
Positive Technologies
added 18 hours ago9 views

PT-2026-57394

The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk clear cache' AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated...

4.3CVSS6.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57400

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.1AI score
Exploits0References13
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57381

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get type template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

7.5CVSS6.5AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57391

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b width map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...

6.4CVSS6.2AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57411

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score
Exploits0References10
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57422

The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive...

7.5CVSS6.2AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago8 views

PT-2026-57374

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score
Exploits0References13
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57384

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo enqueue settings script. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data...

4.3CVSS6.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago7 views

PT-2026-57380

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

6.5CVSS6.1AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 18 hours ago8 views

PT-2026-57397

The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authenticatio...

7.2CVSS6.2AI score
Exploits0References13
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57410

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web hook process paypal standard IPN handler selecting its PayPal validation endpoint from the attacker-controlled $ REQUEST'te...

5.3CVSS6.1AI score
Exploits0References10
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57378

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install addon,...

8.8CVSS6.3AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 18 hours ago9 views

PT-2026-57399

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacke...

5.3CVSS6.2AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 18 hours ago6 views

PT-2026-57417

The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck method...

7.5CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 18 hours ago5 views

PT-2026-57423

The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve setOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-lev...

8.8CVSS6.2AI score
Exploits0References3
Total number of security vulnerabilities184377