Lucene search
+L
PtsecurityRecent

187212 matches found

ptsecurity
ptsecurity
added 18 hours ago3 views

PT-2026-60497

Perfect Support Ticketing & Document Management System through 1.7 contains a stored cross-site scripting vulnerability that allows authenticated attackers with Agent-level privileges to inject malicious payloads into the Notes field of assigned support tickets. Attackers can store malicious...

5.4CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago3 views

PT-2026-60447

The Joomla extension Quix Page Builder Pro is vulnerable to an unauthenticated SQL injection...

8.7CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60434

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on...

8.8CVSS6.3AI score
Exploits0References11
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60435

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr token function in all versions up to, and including, 7.3.1.4. This makes it possible for...

8.1CVSS6.5AI score
Exploits0References8
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60466

HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session SSL Cookie vulnerability. The application fails to set the "secure" attribute on session cookies generated during authentication, which could allow a remote attacker to intercept network traffic and capture sensitive...

3CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago3 views

PT-2026-60470

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security HSTS policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted...

3.1CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60468

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote attacker to gather sensitive network topology information and use it to map the internal...

2.6CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60508

Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack id and org id values present in the public source tree...

9.8CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60502

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static u8, and the Deref...

5.9CVSS6.2AI score
Exploits0References4
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60501

Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library. Image::EPEG includes Epeg 0.9.0 that was last updated in 2004. Epeg is a fast JPEG thumbnail library that was once part of the Englightenment Project...

6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60505

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc parse function attempts to check for multicharacter strings such as "" without checking that the offsets are within the buffer. Truncated strings such as "a/" can trigger an out-of-bounds read...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60499

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60504

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc parse function attempts to check for multicharacter strings such as "" without checking that the offsets are within the buffer. Truncated strings such as "a/" can trigger an out-of-bounds read. Note that...

6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago3 views

PT-2026-60506

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such...

8.8CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60500

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60503

Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level ReadPacket privileges when a request omitted specific packet names: with an empty name list the...

4.3CVSS6.1AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60489

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota plugin add and kiota plugin generate with -t APIPlugin emitted attacker-controlled static template.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests...

9.3CVSS6.1AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago3 views

PT-2026-60492

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote https URLs and reading local absolute or out-of-tree file paths, allowing kiota generate on an attacker-controlled or attacker-influenced description to perform build-time...

7.1CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago8 views

PT-2026-60452

HCL DFXServer is affected by an Unencrypted Communication vulnerability. The application permits users to establish connections over unencrypted channels via the HTTP protocol, which could allow a remote attacker to intercept network traffic and expose sensitive data transmitted between the user...

6.3CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60456

stoatchat versions before 0.7.8 fail to enforce account creation restrictions including invite-only mode, email verification, captcha, and shield verification. Attackers can create unlimited accounts with unverified email addresses, increasing denial-of-service risk and compromising service...

6.9CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60458

stoatchat delta/Revolt versions from 20241213-1 before 20250210-1 allow users with only ViewChannel read permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token,...

7.6CVSS6.2AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60442

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.1AI score
Exploits0References7
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60463

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into thes...

9.2CVSS6.3AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago7 views

PT-2026-60411

In the Linux kernel, the following vulnerability has been resolved: ipv4: account for fraggap on the paged allocation path In ip append data, when the paged-allocation branch is taken, alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen;...

6AI score
Exploits0References6
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60430

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the dig update wpwc custom fields function. This makes it possible for...

8.8CVSS6AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago7 views

PT-2026-60422

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, whic...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60465

An information disclosure vulnerability exists in Canonical ubuntu-pro-client formerly ubuntu-advantage-tools. The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in...

5.5CVSS6.1AI score
Exploits0References1
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60454

HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of...

6.3CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago5 views

PT-2026-60449

Use-after-free vulnerability in ESET Linux products potentially allowed an attacker to trigger kernel panic on the system...

6.7CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60436

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS6.2AI score
Exploits0References9
ptsecurity
ptsecurity
added 18 hours ago8 views

PT-2026-60398

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts...

4.3CVSS6.1AI score
Exploits0References7
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60404

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score
Exploits0References6
ptsecurity
ptsecurity
added 18 hours ago9 views

PT-2026-60414

The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level self-registerable account to perform SQL injection attacks...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago10 views

PT-2026-60415

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago7 views

PT-2026-60408

The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...

6.1CVSS6.2AI score
Exploits0References7
ptsecurity
ptsecurity
added 18 hours ago9 views

PT-2026-60481

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values.description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and...

7.5CVSS6.2AI score
Exploits0References3
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60476

A race condition in the account lockout mechanism in Delphix Continous Data allowed the lockout threshold to be bypassed through concurrent authentication requests. Parallel login attempts were processed before the failed-login counter and lockout status were updated, defeating brute-force...

8.3CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60477

Authorization Bypass Through User-Controlled Key CWE-639 in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company tenant via a sequential numeric i...

6.9CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60464

stoatchat before 0.13.5 contains an unauthenticated server-side request forgery vulnerability in the /proxy and /embed endpoints that accept arbitrary URLs without DNS resolution filtering or private IP range validation. Attackers can enumerate internal services, fingerprint applications, and rea...

9.2CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60439

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the update settings REST callback failing to validate the group id pa...

8.8CVSS6.1AI score
Exploits0References7
ptsecurity
ptsecurity
added 18 hours ago9 views

PT-2026-60352

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...

7.5CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60433

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm ajax save pages AJAX handler sanitize text field only and...

6.5CVSS6.1AI score
Exploits0References6
ptsecurity
ptsecurity
added 18 hours ago9 views

PT-2026-60351

A flaw was found in Keycloak. When the JSON Web Token JWT authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper...

8.1CVSS6.1AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago7 views

PT-2026-60480

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral in Writers/StringExtensions.cs into Ruby double-quoted literals...

7.5CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60482

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota honored a poisoned .kiota/workspace.json workspace configuration without validating per-client or per-plugin outputPath values during kiota client generate and kiota plugin generate, allowing a malicious repository or pu...

7CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago7 views

PT-2026-60479

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C XML documentation-comment sink the description, externalDocs label, and externalDocs link fields emitted as /// … comments. When text from an OpenAPI...

8.7CVSS6.1AI score
Exploits0References5
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60507

text-generation-inference through 3.3.7 contains a server-side request forgery SSRF vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image...

8.6CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60495

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE INFO REQUEST with another device's target id and receive that device's server-side system info through...

4.3CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 18 hours ago6 views

PT-2026-60462

AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses function interpolates unsanitized keyword parameters inside single quotes without escaping. Attackers who can craft a valid encrypted codeToExec payload can brea...

9.2CVSS6.3AI score
Exploits0References2
ptsecurity
ptsecurity
added 18 hours ago4 views

PT-2026-60419

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files bounded to an image a...

6.1AI score
Exploits0References2
Total number of security vulnerabilities187212