Lucene search
K
PtsecurityRecent

186922 matches found

Positive Technologies
Positive Technologies
added 17 hours ago6 views

PT-2026-58874

Untrusted Pointer Dereference in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to perform arbitrary physical memory read and write operations via crafted IOCTL requests to the driver, bypassing OS-enforced memory protection...

8.4CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago7 views

PT-2026-58875

Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation. Refer to the ' Security...

5.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58888

Notepad++ vulnerabilities now have public PoC exploit code. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 are fixed in v8.9.7. Update now. NotepadPlusPlus PathTraversal ZipSlip CVE InfoSec https://t.co/OYi5XPXTS9...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58886

Notepad++ vulnerabilities now have public PoC exploit code. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 are fixed in v8.9.7. Update now. NotepadPlusPlus PathTraversal ZipSlip CVE InfoSec https://t.co/OYi5XPXTS9...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58931

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM company id-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58894

Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, and versions 9.11.0.0 through 9.13.0.2 contains an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges...

6.7CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago6 views

PT-2026-58879

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago8 views

PT-2026-58871

Improper Neutralization of Special Elements used in an SQL Command "SQL Injection" in the web management interface of certain ASUS router models allows a remote authenticated user to disclose confidential information via a crafted request that bypasses existing input validation Refer to the ' ...

5.9CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago6 views

PT-2026-58873

Allocation of Resources Without Limits and Throttling and Sensitive Information in Resource Not Removed Before Reuse in the ASUS System Control Interface driver and ASUS Business Manager allow a local administrator to disclose sensitive information via crafted IOCTL requests, which, in severe...

8.2CVSS6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago7 views

PT-2026-58876

Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in...

7.2CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago8 views

PT-2026-58866

An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related da...

5.3CVSS6.1AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 17 hours ago10 views

PT-2026-58867

Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem that is shared across devices. An attacker with access to the firmware image can extract the embedded key. Successful exploitation may allow an unauthenticated attacker on the same...

8.6CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 17 hours ago6 views

PT-2026-58882

The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes...

6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago7 views

PT-2026-58872

An Improper Validation of Integrity Check Value and Improper Certificate Validation in certain ASUS router models allows a remote man-in-the-middleMITM user to make the router download and execute arbitrary command via a spoofed server. Refer to the ' Security Update for ASUS Router Firmware '...

9.5CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago5 views

PT-2026-58880

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post regardless of owner, post type, or status into a...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58887

Notepad++ vulnerabilities now have public PoC exploit code. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 are fixed in v8.9.7. Update now. NotepadPlusPlus PathTraversal ZipSlip CVE InfoSec https://t.co/OYi5XPXTS9...

6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58895

A boolean-based SQL Injection vulnerability exists in Apache Fineract's Client Search API GET /api/v1/clients in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with...

6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58881

The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-58883

A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collisio...

7.7CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago8 views

PT-2026-58878

The installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer...

8.4CVSS7.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago7 views

PT-2026-58877

Improper Restriction of Communication Channel to Intended Endpoints and External Control of File Name or Path in Aura Wallpaper Service allow a local user to perform file operations by sending crafted commands containing an arbitrary file path and bypassing the service’s path restrictions . On...

8.5CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60190

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60180

Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth client id claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session...

7.6CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60177

Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get next path function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as...

6.1CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60165

ICU Scandinavia Boomerang is vulnerable to an information disclosure flaw where sensitive credential files are exposed via static HTTP. This allows an unauthenticated remote attacker to retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot. This...

7.1CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60170

Permission control vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

7.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60164

A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...

7.8CVSS6.1AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60171

DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability...

6.5CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60169

Design defect vulnerability in Expedition mode. Impact: Successful exploitation of this vulnerability may affect availability...

4.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60168

Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect availability...

5.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60166

ICU Scandinavia Boomerang is vulnerable to a missing authentication flaw in its device receiver endpoints. This allows an unauthenticated remote attacker to read full facility configurations and write unauthorized data to the sensor database. This issue has been fixed in version 2.4.18.029...

5.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60167

Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

6.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60163

A flaw was found in samba's pam winbind. When mkhomedir is enabled, pam winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts ca...

6.1CVSS6.1AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60119

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs...

8.5CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60134

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with...

6.9CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60137

PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agents file configuration parameters that execute when the generated server starts o...

8.5CVSS6.3AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60139

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message...

8.8CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60129

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...

6.6CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60117

n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth a non-default configuration. In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Chat Trigger webhook endpoint can be circumvented,...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60130

The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...

8.8CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60122

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60120

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow origins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...

9CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60115

n8n before version 2.10.0 contains an input validation vulnerability in the Guardrail node that allows attackers to bypass default guardrail instructions. End users can craft malicious inputs to circumvent guardrail protections and compromise workflow integrity...

6.3CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60138

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agent invoke.py when PRAISONAI CALL AUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host...

8.8CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60152

ImageMagick before 7.1.2-26 and 6.9.13-51 contains an information disclosure vulnerability: when a profile is displayed with the identify command and the profile value is not printable, a single byte at the end of the profile can be printed read past the profile boundary. This behavior occurs whe...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60148

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFO EXTENSION, so a user with api.media.write permission can...

8.8CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60150

ImageMagick before 7.1.2-26 and 6.9.13-x before 6.9.13-51 contains a policy bypass vulnerability in the -script operation due to missing security policy checks. This allows reading files from paths that are otherwise disallowed by the configured security policy...

4.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60153

ImageMagick before 7.1.2-26 and 6.x before 6.9.13-51 contains a memory leak in the TIFF encoder that occurs when a temporary file cannot be created, resulting in a small memory leak...

2.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 17 hours ago3 views

PT-2026-60141

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 17 hours ago4 views

PT-2026-60146

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS6.1AI score
Exploits0References3
Total number of security vulnerabilities186922