Lucene search
K
PtsecurityRecent

184549 matches found

Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55039

Name of the Vulnerable Software and Affected Versions Heateor Social Login versions prior to 1.1.40 Description An unauthenticated Cross Site Request Forgery CSRF issue exists in the Heateor Social Login plugin. CSRF is a flaw that allows an attacker to trick a victim into performing actions they...

8.1CVSS6AI score0.00139EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55041

Name of the Vulnerable Software and Affected Versions Kit formerly ConvertKit for WooCommerce versions prior to 2.1.6 Description An unauthenticated sensitive data exposure issue exists in the plugin, allowing unauthorized users to access confidential information without providing credentials...

5.3CVSS5.9AI score0.00206EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55045

Name of the Vulnerable Software and Affected Versions pCloud WP Backup versions prior to 2.0.3 Description An unauthenticated Cross Site Request Forgery CSRF issue exists in the pCloud WP Backup plugin. CSRF is a flaw that allows an attacker to trick a victim into performing actions they did not...

7.1CVSS6AI score0.00116EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54999

Unauthenticated Cross Site Scripting XSS in MC Woocommerce Wishlist = 1.9.19 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55270

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl tls gen connection module allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data. Th...

6.3CVSS5.8AI score0.00135EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55010

Name of the Vulnerable Software and Affected Versions Blocksy Companion Pro versions prior to 2.1.47 Description An unauthenticated remote code execution flaw allows an attacker to execute arbitrary code on the site without requiring login credentials. Recommendations Update to a version newer th...

10CVSS6.8AI score0.00697EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55334

Name of the Vulnerable Software and Affected Versions Fireware OS versions 12.1 through 12.12 Fireware OS versions 2025.1 through 2026.2 Description An Out-of-bounds Write occurs in the ikestubd process, which may allow an authenticated privileged user to execute arbitrary code by sending special...

8.6CVSS6.3AI score0.00546EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55321

Name of the Vulnerable Software and Affected Versions Microsoft Entra Provisioning Service SyncFabric affected versions not specified Description Server-side request forgery SSRF in the Microsoft Entra Provisioning Service SyncFabric allows an authorized attacker to elevate privileges over a...

9.9CVSS5.9AI score0.0063EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55448

A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and cause excessive...

8.7CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54629

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare items metho...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55407

Summary SQLChatAgent in langroid ships a validate query defense-in-depth layer whose DANGEROUS SQL PATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family pg read file, pg stat file, pg ls logdir...

8.7CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55479

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...

7.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54616

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

5.7AI score0.00189EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55197

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55023

Unauthenticated Cross Site Scripting XSS in Simple Link Directory = 15.0.5 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55002

Unauthenticated Cross Site Scripting XSS in ReviewX = 2.3.10 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55257

A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device...

8.8CVSS5.8AI score0.00249EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55361

Summary When Steeltoe management endpoints are configured to listen on an alternate port Management:Endpoints:Port is configured, the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Impact An unauthenticated remo...

8.2CVSS6AI score0.00238EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54989

Unauthenticated Cross Site Scripting XSS in Internal Links Manager = 3.0.3 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55400

Summary A Server-Side Request Forgery SSRF vulnerability exists in the Mautic Focus component MauticFocusBundle. Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server. Impact An authenticated...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54937

Name of the Vulnerable Software and Affected Versions Product Video Gallery for Woocommerce versions prior to 1.5.1.9 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with shop manager-level access or higher can...

4.4CVSS6.1AI score0.00263EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55300

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and...

5CVSS5.9AI score0.0018EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55421

Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and...

7.8CVSS5.9AI score0.00114EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55425

Summary There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and write...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55456

Summary 9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWT SECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases,...

9.8CVSS5.8AI score0.0019EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55478

Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...

8.4CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55000

Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55008

Unauthenticated PHP Object Injection in Booktics = 1.0.21 versions...

9.8CVSS5.8AI score0.00336EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54996

Subscriber Broken Access Control in Link Whisper Premium = 2.9.0 versions...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54623

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.8CVSS5.7AI score0.00227EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54624

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54881

Name of the Vulnerable Software and Affected Versions GeoWebPlayer affected versions not specified Description The GeoWebPlayer addon, which creates a websocket server to expand web-interface capabilities for GeoVision software, contains a memory corruption issue. The handle connection info...

8.3CVSS5.8AI score0.00286EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54879

Name of the Vulnerable Software and Affected Versions GeoWebPlayer affected versions not specified Description The GeoWebPlayer websocket server, used as an addon for GeoVision software such as GV-VMS and GV-Cloud, contains a memory corruption issue. The handle connection info function, which...

8.3CVSS6AI score0.00286EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54883

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.9AI score0.0028EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54973

Name of the Vulnerable Software and Affected Versions LMS versions prior to 9.8 Description An unauthenticated Cross Site Scripting XSS issue exists, allowing an attacker to execute malicious scripts in the victim's browser without requiring authentication. Recommendations Update to a version new...

7.1CVSS6AI score0.0018EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.17 views

PT-2026-55231

Name of the Vulnerable Software and Affected Versions UniFi Connect Application versions prior to 3.4.17 Description An improper access control flaw exists in the UniFi Connect Application. A malicious actor with network access can exploit this issue to execute arbitrary commands on the host devi...

10CVSS6.4AI score0.00826EPSS
Exploits0References29
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54993

Unauthenticated Cross Site Scripting XSS in WP Debugging = 2.12.2 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55352

Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...

3.7CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55033

Contributor Broken Access Control in Flatsome = 3.20.5 versions...

6.5CVSS5.8AI score0.0021EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.14 views

PT-2026-55358

Summary Configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS1 v1.5, which is the same algorithm as the DEFAULT setting. Impact Operators who configure encrypt:rsa:algorithm=OAEP to obtain...

1.9CVSS5.8AI score0.00046EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-54949

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp load more revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $ POST'notinstring' and passed through sanitize text field — which strips HTML an...

7.5CVSS6AI score0.00374EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55452

Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator. The embedded SAML Response th...

8.7CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55027

Unauthenticated Cross Site Scripting XSS in WowAddons = 1.6.14 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.17 views

PT-2026-55313

Name of the Vulnerable Software and Affected Versions fast-mcp-telegram versions prior to 0.19.1 Description fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. While the verifier rejects the exact reserved token telegram, it fails to reject pa...

9.4CVSS6AI score0.00423EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54982

Editor Arbitrary Code Execution in Five Star Business Profile and Schema = 2.3.19 versions...

9.1CVSS5.9AI score0.00397EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54970

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string up to 4.09 GB via the UInt32 length field delivered acros...

7.5CVSS5.8AI score0.00386EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55420

Impact A command injection vulnerability exists in electerm's file system operations rmrf, mv, cp in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters. Vulnerable functions: - rmrf - Uses rm...

8.8CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54988

Unauthenticated Cross Site Scripting XSS in Classified Listing = 5.4.2 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55391

Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...

9.3CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54950

A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 included, 4.8.0 to 4.8.15 included , 5.0.0 to 5.0.5 included There is a possible leak of secret information if administration commands have been passed with the CLI command line tool. Someone with SSH access to the...

4.3CVSS5.8AI score0.00212EPSS
Exploits0References2
Total number of security vulnerabilities184549