Lucene search
K
PtsecurityRecent

184508 matches found

Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.15 views

PT-2026-55600

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description A flaw allows a user to change the primary email address of another user. Recommendations Update to version 1.25.5 or later...

7.5CVSS6.1AI score0.00345EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.17 views

PT-2026-55590

Name of the Vulnerable Software and Affected Versions Gitea version 1.26.2 Description Fork synchronization continues even after a parent repository is changed from public to private. This behavior allows a fork to maintain access and synchronize data from a repository that should no longer be...

7.5CVSS7AI score0.00482EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55466

Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression and urljavascript: using simple regex, but could be bypassed with CSS unicode escapes 65xpression, null bytes, or CSS comments exp//ression. Mitigating Factor: These CSS injection vectors only...

5.3CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.4 views

PT-2026-55556

These are all security issues fixed in the kitty-0.47.4-2.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS5.9AI score0.00346EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55460

Name of the Vulnerable Software and Affected Versions Contour versions prior to 1.33.5 Description An issue exists when an HTTPProxy is configured with both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders. In this scenario, the system fails to reject the...

6.5CVSS6AI score0.00023EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55264

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input...

8.7CVSS6.2AI score0.00564EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55390

Impact When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SN...

6.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.5 views

PT-2026-55360

A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and cause excessive...

8.7CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54941

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS5.9AI score0.00283EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55359

Description Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listen addr is set, which is the default. 3. Your node processes blocks past the checkpoint height non-finalized state is active. All...

8.7CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55006

Unauthenticated Cross Site Scripting XSS in WPAdverts = 2.3.1 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-54992

Unauthenticated Cross Site Scripting XSS in WPeMatico RSS Feed Fetcher = 2.8.17 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55419

Summary fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP clie...

9.4CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55437

It was discovered that LibVNCServer incorrectly handled the Tight decoder in libvncclient. A remote attacker could use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code...

6AI score0.00113EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55477

Name of the Vulnerable Software and Affected Versions Algernon version 1.17.8 Description On Windows hosts using the NTFS filesystem, an unauthenticated client can retrieve the raw source code of server-side scripts such as .lua, .tl, .po2, .amber, or .frm located on public paths. This occurs...

8.7CVSS6.1AI score0.00077EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55369

Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator. The embedded SAML Response th...

8.7CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55054

u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components...

6.4CVSS5.8AI score0.00269EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55470

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listen addr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary The...

5.3CVSS5.7AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55039

Name of the Vulnerable Software and Affected Versions Heateor Social Login versions prior to 1.1.40 Description An unauthenticated Cross Site Request Forgery CSRF issue exists in the Heateor Social Login plugin. CSRF is a flaw that allows an attacker to trick a victim into performing actions they...

8.1CVSS6AI score0.00139EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55041

Name of the Vulnerable Software and Affected Versions Kit formerly ConvertKit for WooCommerce versions prior to 2.1.6 Description An unauthenticated sensitive data exposure issue exists in the plugin, allowing unauthorized users to access confidential information without providing credentials...

5.3CVSS5.9AI score0.00206EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54985

Customer Path Traversal in Tax Exempt for WooCommerce = 1.9.3 versions...

6.5CVSS5.8AI score0.00343EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55045

Name of the Vulnerable Software and Affected Versions pCloud WP Backup versions prior to 2.0.3 Description An unauthenticated Cross Site Request Forgery CSRF issue exists in the pCloud WP Backup plugin. CSRF is a flaw that allows an attacker to trick a victim into performing actions they did not...

7.1CVSS6AI score0.00116EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54999

Unauthenticated Cross Site Scripting XSS in MC Woocommerce Wishlist = 1.9.19 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.3 views

PT-2026-55439

It was discovered that cifs-utils incorrectly dropped root privileges before looking up user information. A local attacker could possibly use this issue to execute arbitrary code as the root user...

7.8CVSS6.1AI score0.0012EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55270

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl tls gen connection module allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data. Th...

6.3CVSS5.8AI score0.00135EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55010

Name of the Vulnerable Software and Affected Versions Blocksy Companion Pro versions prior to 2.1.47 Description An unauthenticated remote code execution flaw allows an attacker to execute arbitrary code on the site without requiring login credentials. Recommendations Update to a version newer th...

10CVSS6.8AI score0.00697EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55334

Name of the Vulnerable Software and Affected Versions Fireware OS versions 12.1 through 12.12 Fireware OS versions 2025.1 through 2026.2 Description An Out-of-bounds Write occurs in the ikestubd process, which may allow an authenticated privileged user to execute arbitrary code by sending special...

8.6CVSS6.3AI score0.00546EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55321

Name of the Vulnerable Software and Affected Versions Microsoft Entra Provisioning Service SyncFabric affected versions not specified Description Server-side request forgery SSRF in the Microsoft Entra Provisioning Service SyncFabric allows an authorized attacker to elevate privileges over a...

9.9CVSS5.9AI score0.0063EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54629

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare items metho...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55407

Summary SQLChatAgent in langroid ships a validate query defense-in-depth layer whose DANGEROUS SQL PATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family pg read file, pg stat file, pg ls logdir...

8.7CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55479

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...

7.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54616

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

5.7AI score0.00189EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55197

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55382

Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace .env in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and...

8.8CVSS6AI score0.00298EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55023

Unauthenticated Cross Site Scripting XSS in Simple Link Directory = 15.0.5 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55002

Unauthenticated Cross Site Scripting XSS in ReviewX = 2.3.10 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55257

A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device...

8.8CVSS5.8AI score0.00249EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-54615

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55424

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks on any Zcash network. Summary The finalized transparent address balance writer processes all newly-created outputs credits before processing spent outputs debits within the same block. A...

6.9CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55343

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node participates in a network where chain forks occur mainnet, testnet, or any network with multiple miners. All default configurations are affected. The corruption persists across restarts because it is...

6.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55361

Summary When Steeltoe management endpoints are configured to listen on an alternate port Management:Endpoints:Port is configured, the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Impact An unauthenticated remo...

8.2CVSS6AI score0.00238EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54989

Unauthenticated Cross Site Scripting XSS in Internal Links Manager = 3.0.3 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55400

Summary A Server-Side Request Forgery SSRF vulnerability exists in the Mautic Focus component MauticFocusBundle. Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server. Impact An authenticated...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54937

Name of the Vulnerable Software and Affected Versions Product Video Gallery for Woocommerce versions prior to 1.5.1.9 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with shop manager-level access or higher can...

4.4CVSS6.1AI score0.00263EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55295

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepath globpattern valu...

8.7CVSS5.9AI score0.0047EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55300

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

5CVSS5.9AI score0.0018EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55421

Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and...

7.8CVSS5.9AI score0.00114EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55384

Summary A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code...

9.9CVSS6.1AI score0.00439EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55425

Summary There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and write...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55383

Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression and urljavascript: using simple regex, but could be bypassed with CSS unicode escapes 65xpression, null bytes, or CSS comments exp//ression. Mitigating Factor: These CSS injection vectors only...

5.3CVSS5.8AI score
Exploits0References4
Total number of security vulnerabilities184508