Lucene search
K
PtsecurityRecent

186843 matches found

Positive Technologies
Positive Technologies
added 15 hours ago6 views

PT-2026-58874

Untrusted Pointer Dereference in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to perform arbitrary physical memory read and write operations via crafted IOCTL requests to the driver, bypassing OS-enforced memory protection...

8.4CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 15 hours ago7 views

PT-2026-58875

Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation. Refer to the ' Security...

5.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-58883

A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collisio...

7.7CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58888

Notepad++ vulnerabilities now have public PoC exploit code. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 are fixed in v8.9.7. Update now. NotepadPlusPlus PathTraversal ZipSlip CVE InfoSec https://t.co/OYi5XPXTS9...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58886

Notepad++ vulnerabilities now have public PoC exploit code. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 are fixed in v8.9.7. Update now. NotepadPlusPlus PathTraversal ZipSlip CVE InfoSec https://t.co/OYi5XPXTS9...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58889

The Joomla extension DP Calendar is vulnerable to an unauthenticated SQL injection...

8.7CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58931

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM company id-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60154

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in color transformation to the log colorspace: when the operation fails, a small amount of memory is not released...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60162

Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that a...

8.1CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60117

n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth a non-default configuration. In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Chat Trigger webhook endpoint can be circumvented,...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60118

ImageMagick through 7.1.2-18 contains a memory leak vulnerability in the ASHLAR coder when an action fails. Attackers can trigger failed actions to exhaust memory resources and cause denial of service...

4.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60124

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60125

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60127

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

5.1CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60128

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60132

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...

6CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60135

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...

7.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60136

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the web crawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodie...

8.5CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60145

The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied admin base url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's...

9.6CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60159

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the MIFF encoder that occurs when a memory allocation fails during MIFF image processing, which can lead to denial of service...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60160

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60161

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the TIFF encoder when an invalid tiff:tile-geometry is specified. Supplying malformed tile geometry parameters causes allocated memory not to be released, which can lead to increased memory consumption...

2.5CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60116

n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the RE...

6.4CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60123

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER ADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and...

8.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60131

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60133

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blocked commands, blocked paths, blocked imports, allow subprocess, and allow file write restrictions are completely ignored. Attackers can execute arbitrary subprocess...

8.7CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60138

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agent invoke.py when PRAISONAI CALL AUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host...

8.8CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60140

PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor. exec inline python due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system calls that bypass sandb...

7.3CVSS6.6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60142

PraisonAI before 1.6.78 contains a remote code execution vulnerability in SkillTools.run skill script that executes scripts without path containment validation. Attackers can supply absolute file paths to execute arbitrary scripts from any filesystem location, including those outside the intended...

8.6CVSS6.6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60146

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60148

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFO EXTENSION, so a user with api.media.write permission can...

8.8CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60152

ImageMagick before 7.1.2-26 and 6.9.13-51 contains an information disclosure vulnerability: when a profile is displayed with the identify command and the profile value is not printable, a single byte at the end of the profile can be printed read past the profile boundary. This behavior occurs whe...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60153

ImageMagick before 7.1.2-26 and 6.x before 6.9.13-51 contains a memory leak in the TIFF encoder that occurs when a temporary file cannot be created, resulting in a small memory leak...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60121

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin...

10CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60129

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...

6.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60130

The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...

8.8CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60134

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with...

6.9CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60139

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message...

8.8CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60141

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60144

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPMInstaller. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory header ZipArchive::statIndex'size' and rejects archives exceeding system.gpm.archive.max...

7.1CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60147

Grav v2.0.0 contains a cross-site scripting vulnerability fixed in 2.0.1. The XSS blueprint validator Security::detectXss runs on raw page content before Twig processing. When Twig content processing is enabled twig content.process enabled: true, an attacker with page-write API permission can use...

6.1CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60150

ImageMagick before 7.1.2-26 and 6.9.13-x before 6.9.13-51 contains a policy bypass vulnerability in the -script operation due to missing security policy checks. This allows reading files from paths that are otherwise disallowed by the configured security policy...

4.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60151

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already freed. This can be triggered during image processing and may lead to a denial of service...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60114

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages NO ORG vs N...

8.7CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60120

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow origins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...

9CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60122

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60115

n8n before version 2.10.0 contains an input validation vulnerability in the Guardrail node that allows attackers to bypass default guardrail instructions. End users can craft malicious inputs to circumvent guardrail protections and compromise workflow integrity...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago3 views

PT-2026-60119

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs...

8.5CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58930

Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, versions 9.11.0.0 through 9.13.0.2 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure...

7.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 15 hours ago4 views

PT-2026-58894

Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, and versions 9.11.0.0 through 9.13.0.2 contains an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges...

6.7CVSS6.1AI score
Exploits0References2
Total number of security vulnerabilities186843