Lucene search
+L
PtsecurityRecent

187600 matches found

Positive Technologies
Positive Technologies
added 13 hours ago4 views

PT-2026-60920

The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS5.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 13 hours ago4 views

PT-2026-60923

A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be...

5.3CVSS4.5AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 13 hours ago5 views

PT-2026-60929

VMware Avi Load Balancer contains a remote code execution vulnerability. A malicious user with network access may be able to access the Avi Control plane and execute code remotely. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6 fixed in...

8.7CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 13 hours ago4 views

PT-2026-60922

A vulnerability was found in AstrBotDevs AstrBot up to 4.25.5. Impacted is the function normalize rw path of the file astrbot/core/tools/computer tools/fs.py of the component Filesystem Computer-Use Tool. Performing a manipulation results in link following. The attack is only possible with local...

5.3CVSS5.3AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 13 hours ago6 views

PT-2026-60921

A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chat send of the file astrbot/dashboard/routes/open api.py of the component API. Such manipulation of the argument Username leads to authentication bypass by spoofing. It is possible t...

6.5CVSS6.2AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 13 hours ago3 views

PT-2026-60930

VMware Avi Load Balancer contains a local privilege escalation vulnerability. A malicious user with local access may be able to escalate their privileges to run code as root. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6 fixed in 30.2.7...

7.8CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 13 hours ago3 views

PT-2026-60927

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has be...

5.3CVSS5.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 13 hours ago6 views

PT-2026-60926

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and...

7.5CVSS6.9AI score
Exploits0References9
Positive Technologies
Positive Technologies
added 13 hours ago3 views

PT-2026-60932

A flaw has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affected by this issue is the function setup conntrack of the file /sbin/rc. Executing a manipulation of the argument ct tcp timeout can lead to out-of-bounds write. The attack may be performed from remote. This project is...

9CVSS7.5AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 13 hours ago3 views

PT-2026-60931

A vulnerability was detected in halo-dev halo up to 2.24.2. Affected by this vulnerability is the function Download of the file MigrationEndpoint.java of the component Files Backup Endpoint. Performing a manipulation results in path traversal. The attack is possible to be carried out remotely. Th...

5.8CVSS4.9AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 13 hours ago4 views

PT-2026-60924

A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is public...

5.3CVSS5.4AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 13 hours ago4 views

PT-2026-60925

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The...

6.9CVSS5.5AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 13 hours ago3 views

PT-2026-60928

VMware Avi Load Balancer contains an authorization bypass vulnerability. A malicious actor on the network can access a limited subset of the Avi Control Plane without proper authorization. Affected versions: 32.1.1 fixed in 32.1.2 31.1.1 through 31.2.2 fixed in 31.2.2-2p3 30.1.1 through 30.2.6...

8.3CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 13 hours ago10 views

PT-2026-60919

A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.get chat sessions of the file astrbot/dashboard/routes/open api.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It ...

5.3CVSS4.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60788

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint witho...

7.1CVSS5.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60780

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse date. parse date matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.4AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday10 views

PT-2026-60848

A flaw was found in xdgmime. A heap-based buffer overflow can be triggered in xdg mime magic parse magic line in the xdgmimemagic.c file on little-endian systems when an attacker-controlled MIME magic file in a user-writable XDG data location e.g., in the $XDG DATA HOME/mime/magic path is parsed ...

7.1CVSS5.6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60872

IBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server ...

8.1CVSS6.5AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60860

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files...

8.8CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60839

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO LOGIN configuration is...

9.8CVSS5.4AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60847

IBM Cognos Analytics 12.1.3 GA Version with build number through 12.1.3-2606251736 could allow an attacker to obtain incorrect report summary results or cause report-processing failures due to a race condition in the Agentic AI assistant's concurrent request-handling logic when multiple...

5.4CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60871

IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint /api/v1/build public tmp/flow id/flow . The vulnerability stems from an incomplete denylist in the validate public flow no code execution function th...

8.1CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60852

IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow an attacker with read-only privileges to make unauthorized...

6.5CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60867

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system compromise with Langflow service permissions...

9.9CVSS5.7AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60869

IBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system...

5.3CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-60863

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the apply tweaks function...

8.8CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60874

IBM Db2 Genius Hub 1.1, 1.1.1, 1.1.2 and IBM Agentics 1.0 could allow an attacker to execute arbitrary code or obtain sensitive information due to the use of dangerous functions without sufficient restrictions...

4.3CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60845

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to obtain sensitive information due to the exposure of session tokens in URLs...

7.5CVSS4.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60857

IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 and IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 could allow a remote attacker to conduct phishing attacks, caused by an...

3.1CVSS5.6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60835

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control...

7.8CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60815

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS5.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60768

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/tool cron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to th...

6.5CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60779

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS5.3AI score
Exploits0References6
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60711

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete...

4.9CVSS6.2AI score0.00766EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60709

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save filter AJAX handler storing the raw $ POST'filter' array into a WordPress option via update option without any capability check, nonce...

6.4CVSS6.2AI score0.00156EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-60702

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet export form id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers,...

4.3CVSS6AI score0.00178EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-60713

HCL Traveler for Microsoft Outlook HTMO is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content...

6.5CVSS6.1AI score0.00111EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-60704

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6.2AI score0.00247EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added yesterday10 views

PT-2026-60703

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet export tmp name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx fil...

4.3CVSS6.2AI score0.00459EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday10 views

PT-2026-60700

🧑‍🚒 released sbt 1.12.14 and 2.0.3, featuring - backport of CVE-2026-26032 fix for Ivy while sbt might not be affected - update to Jawn 1.7.0 for CVE-2026-59990 and CVE-2026-61814 fixes...

5.4CVSS6.1AI score0.00583EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60699

🧑‍🚒 released sbt 1.12.14 and 2.0.3, featuring - backport of CVE-2026-26032 fix for Ivy while sbt might not be affected - update to Jawn 1.7.0 for CVE-2026-59990 and CVE-2026-61814 fixes...

5.4CVSS6.1AI score0.00583EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60701

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS6.2AI score0.0028EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60705

The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense bpvt save settings function in versions up to, and including, 3.0.1. The callback is registered to both wp ajax and wp...

5.3CVSS6.1AI score0.00228EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60719

UNSUPPORTED WHEN ASSIGNED Exposed IOCTL with Insufficient Access Control in the ASUS AURA SYNC driver allows a local user to bypass the driver's verification and invoke arbitrary IOCTLs, resulting in privilege escalation. Refer to the 'End-of-Life Notice and Driver Update for Legacy ASUS Drivers ...

7.3CVSS6.2AI score0.0009EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-60723

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

6.1AI score0.00137EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday10 views

PT-2026-60724

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

6.1AI score0.00132EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60722

The User Registration & Membership WordPress plugin before 5.2.3 does not validate that the membership tier submitted during public registration is one of the tiers allowed by the registration form before assigning that tier's associated user role, allowing unauthenticated users to register into ...

6.1AI score0.00137EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60721

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

6.1AI score0.00137EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60718

The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomatic call google ai function' function. This...

9.8CVSS6.3AI score0.00294EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60717

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check in date' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6.2AI score0.00215EPSS
Exploits0References7
Total number of security vulnerabilities187600