Lucene search
+L
PtsecurityRecent

187283 matches found

ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60434

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on...

8.8CVSS6.3AI score
Exploits0References11
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60435

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr token function in all versions up to, and including, 7.3.1.4. This makes it possible for...

8.1CVSS6.5AI score
Exploits0References8
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-19

Name of the Vulnerable Software and Affected Versions ViPNet Client ViPNet MFTP component, versions prior to 4.5.5 build 24733 Description Vulnerability in ViPNet Client component ViPNet MFTP. Recommendations Disable ViPNet on each host APM/server or update ViPNet Client 4 to version 4.5.5 buiild...

9CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago7 views

PT-2026-60459

Name of the Vulnerable Software and Affected Versions ubuntu-pro-client affected versions not specified Description An input validation and injection issue exists where the client constructs APT source files using data from the contract server response via the directives.suites and...

9CVSS6.5AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60493

LogicalDOC Enterprise up to and for v9.1.1 is vulnerable to blind SQL injection in the ComparisonServlet component, allowing authenticated user to manipulate SQL queries via crafted input...

6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60494

An Open Redirect vulnerability CWE-601 exists in the OAuth/OIDC authentication implementation of the Axivion Dashboard. The login flow did not properly restrict the post-authentication redirect to the application's own origin, so a user who follows a crafted login link can be sent to an untrusted...

6.8CVSS6AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60496

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMAND RESULTS handler in ufo/server/ws/handler.py called get or create session in ufo/server/services/session manager.py without owner client id, allowing an authenticated client to...

6.5CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago7 views

PT-2026-60498

Perfect Support Ticketing & Document Management System through 1.7 contains a broken access control vulnerability that allows authenticated attackers with Agent-level privileges to manipulate the Support Agent assignment field of tickets by bypassing intended authorization checks. Attackers can a...

5.4CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60541

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...

4.3CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60542

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigbluebutton/api/Util.java and...

8.1CVSS6.1AI score0.00039EPSS
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60527

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences because app/models/model file.rb uses the user-controlled...

7.1CVSS6.1AI score0.00051EPSS
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60516

The Lenovo XClarity Integrator for Windows Admin Center plugin version 5.1.1 and below running on the WAC Gateway is vulnerable to Powershell Command Injection when establishing remote PowerShell commands...

8.8CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60526

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret key used to sign session cookies, allowing unauthenticated attackers who know the public source value to...

10CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60532

Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected...

8.5CVSS6AI score0.0003EPSS
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60543

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web checksum validation could be bypassed when a presentationUploadExternalUrl parameter was supplied to API request handling in CreateMeeting.java and ValidationService.java, allowing a user to send valid requests to some...

8.1CVSS6.1AI score0.00036EPSS
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60544

BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23...

6.8CVSS6AI score0.00037EPSS
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60545

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm dialplan apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions custom.conf while only...

9.9CVSS6.2AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60546

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hexrandom bytes32 strings in oc api tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the...

7.4CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60547

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm reset password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm add extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to...

6.5CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60548

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM READ access was sufficient to call fm list managers, fm list pinsets, fm show context, fm get mcp config, fm backup status, fm whos calling, fm run saved query, and fm diagnose trunk, exposing AMI manager secrets...

9.3CVSS6.2AI score
Exploits0References6
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60549

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create...

3.1CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60550

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc to save a copy of the sent message could deliver vacation auto-reply copies into any mailbox the script could name,...

5.4CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60551

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an ESEARCH cross-user content oracle. By using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching the search,...

4.3CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60552

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions...

6.5CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago7 views

PT-2026-60478

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote in Writers/StringExtensions.cs without escaping $...

8.7CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago7 views

PT-2026-60482

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota honored a poisoned .kiota/workspace.json workspace configuration without validating per-client or per-plugin outputPath values during kiota client generate and kiota plugin generate, allowing a malicious repository or pu...

7CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60484

Prompty is a markdown file format .prompty for LLM prompts. From 2.0.0-alpha.1 until 2.0.0-beta.3, the @prompty/core TypeScript loader in runtime/typescript/packages/core/src/core/loader.ts used gray-matter without overriding executable js and javascript frontmatter engines, allowing an...

8.7CVSS6.3AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60485

Prompty is a markdown file format .prompty for LLM prompts. Prior to 2.0.0-beta.2, Prompty loaders expanded $file:... references in .prompty frontmatter without enforcing that resolved paths stayed within the prompt directory or allowed roots, allowing an attacker-controlled prompt file to read...

7.5CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60486

The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local o365 Teams SSO endpoint sso login.php base64-decodes a JWT payload and authenticate...

9.3CVSS6.1AI score
Exploits0References8
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60487

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/ and GET /api/user/profile-image/ endpoints in application/single app/route backend users.py accepted a caller-supplie...

4.3CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60488

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single app/plugin validation endpoint.py, including POST /api/admin/plugins/test-instantiation, GET...

8.6CVSS6.1AI score
Exploits0References4
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60490

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota info read x-ms-kiota-info.languagesInformation..dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command,...

9.3CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60491

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when kiota generate ra...

9.3CVSS6.2AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60553

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SH...

4CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60554

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token via the GENURLAUTH command for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes...

3.5CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60555

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH does not honor revoked authorizer access. A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked...

3.5CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60556

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the...

3.1CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60557

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. This action should have been restricted ...

4.3CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60519

stoatchat before 0.14.0 contains a server-side request forgery SSRF vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the url is blacklisted function, which inspects only the first resolved...

8.6CVSS6.1AI score
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago7 views

PT-2026-60520

During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access files owned by a different user on the same system...

6.8CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60472

HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS 1.0 and TLS 1.1. These legacy protocols contain numerous cryptographic design flaws that expose data to interception and decryption. To remediate this risk, the application must disable all support for TLS 1...

5.9CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60475

A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library,...

8.8CVSS6.4AI score
Exploits0References3
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60467

HCL DFXAnalytics is affected by a Login Replay Attack vulnerability. The application allows a remote attacker to intercept, delay, or fraudulently retransmit valid authentication data to achieve unauthorized access. To mitigate this risk, the application must implement a mechanism to include...

2.6CVSS6.2AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60451

A severe structural breakdown in core cloud identity protocols has escalated over the last 24 hours. Security researchers have publicly disclosed "TokenShifter", a critical TOCTOU Time-of-Check to Time-of-Use vulnerability tracked as CVE-2026-72134, heavily impacting OAuth 2.0 token issuance logi...

6.1AI score
Exploits0References1
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60510

A potential out-of-bounds write vulnerability could allow a local privileged attacker to modify power management settings in System Management Mode...

6.8CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60511

A potential vulnerability could allow a local privileged attacker to disclose the address of protected System Management Mode memory...

6.7CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago4 views

PT-2026-60513

A potential missing authentication vulnerability could allow a local privileged attacker to use WMI commands to arbitrarily trigger a System Management Interrupt handler...

6.7CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago9 views

PT-2026-60518

The Janssen Project is an open-source identity and access management IAM platform. Prior to 2.0.0, jans-auth-server accepts unsigned JWE request objects because JwtAuthorizationRequest skips inner signature validation when jwe.getSignedJWTPayload returns null, and...

5.3CVSS6.1AI score0.00044EPSS
Exploits0References5
ptsecurity
ptsecurity
added 22 hours ago5 views

PT-2026-60521

A potential insecure permissions vulnerability was reported in Legion Zone and the Lenovo App Store Windows applications, distributed exclusively in the Chinese market, that when installed on a non‑system partition, could allow a local user to execute arbitrary code...

7.3CVSS6.3AI score
Exploits0References2
ptsecurity
ptsecurity
added 22 hours ago6 views

PT-2026-60533

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from api controller.php without validation, and log controller.php later checks file exists and calls include View::getView$template, allowing an...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References2
Total number of security vulnerabilities187283