Lucene search
K
PtsecurityRecent

184549 matches found

Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55409

Summary The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list password, secret, key, token, .credentials., vcap services does not cover the standard .NET pattern ConnectionStrings: or Steelto...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55558

These are all security issues fixed in the openQA-5.1782995932.ffeb09be-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55049

Name of the Vulnerable Software and Affected Versions Simple URLs versions prior to 152 Description Cross Site Scripting XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing an attacker to execute malicious scripts in the victim's...

5.9CVSS6AI score0.00148EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55299

Name of the Vulnerable Software and Affected Versions Apereo CAS versions 7.3.0 through 8.0.0-RC5 Description A cryptographic issue allows remote unauthenticated attackers to recover plaintext conversation state. This occurs because the system reuses the AES-GCM initialization vector IV across th...

9.3CVSS6.2AI score0.00356EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54613

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This require...

5.8AI score0.00168EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.14 views

PT-2026-54995

Unauthenticated Broken Authentication in ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce = 2.2.0 versions...

4.8CVSS5.8AI score0.0021EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55227

A month ago we pointed our local LLM at FreeBSD and it helped us find a local root exploit plus an ASLR bypass on SUID binaries to go with it 🚨 Both now patched CVE-2026-49415 & CVE-2026-49414. Update your boxes! ➡️ https://t.co/slnvi8x31B ➡️ https://t.co/rsdMmQBB9t https://t.co/WgqLPCjiKV...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55347

Impact A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join with the user-selected download directory without sanitization. A malicious...

7.1CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55450

Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...

6.3CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55296

Name of the Vulnerable Software and Affected Versions LobeChat versions prior to 2.2.10-canary.18 Description Authenticated attackers can perform server-side request forgery SSRF, a flaw where the server is tricked into making requests to an unintended location. By providing malicious input to th...

8.3CVSS6.1AI score0.00235EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55474

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks on any Zcash network. Summary The finalized transparent address balance writer processes all newly-created outputs credits before processing spent outputs debits within the same block. A...

6.9CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55244

Name of the Vulnerable Software and Affected Versions UniFi Protect Application affected versions not specified Description An Improper Access Control issue allows a network-based actor to bypass authentication for data streaming. Improper Access Control occurs when an application fails to proper...

9.8CVSS6.1AI score0.0028EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55326

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.10.2 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.12 WatchGuard Fireware OS versions 2025.1 through 2026.2 Description A null pointer dereference occurs when the software attempts t...

8.7CVSS6AI score0.00495EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.19 views

PT-2026-54935

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.14.0 Description When authentication is enabled, the trace API endpoints lack proper authorization validators. This occurs because the before request handler fails to register authorization validators for these...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54948

Name of the Vulnerable Software and Affected Versions PIA affected versions not specified Description The OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check instead of validating the issuer as a properly host-bounded URL. This allows an attacker to bypass the check using a...

8.2CVSS6.1AI score0.00321EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55056

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16...

7.1CVSS5.8AI score0.00155EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55262

Name of the Vulnerable Software and Affected Versions Yonyou KSOA version 9.0 Description An unauthenticated arbitrary file upload issue exists in the com.sksoft.bill.ImageUpload servlet. Unauthenticated attackers can upload arbitrary files by submitting a POST request to the endpoint without...

9.8CVSS6.4AI score0.0086EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55004

Unauthenticated Cross Site Scripting XSS in Survey Maker = 5.2.2.5 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55469

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node participates in a network where chain forks occur mainnet, testnet, or any network with multiple miners. All default configurations are affected. The corruption persists across restarts because it is...

6.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54614

The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perfor...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54994

Name of the Vulnerable Software and Affected Versions HandL UTM Grabber versions 2.9.2 and earlier Description An unauthenticated Cross Site Scripting XSS issue exists, allowing an attacker to execute malicious scripts in the browser of a user without requiring prior authentication. Recommendatio...

7.1CVSS6AI score0.00191EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55394

Summary The Kerberos Hub upload path sends the agent's Hub credentials in the custom X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the operator-configured Hub URL config.HubURI. The HTTP client used &http.Client in UploadKerberosHub is constructed without a CheckRedire...

6.9CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.5 views

PT-2026-55379

Finding Location: core/src/shared/secure-fetch.ts:42-45 When new URL throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation. Status Fixed in v0.2.136 — The catch block now throws an error instead of silently...

8.7CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.5 views

PT-2026-55381

Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...

8.4CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.5 views

PT-2026-55422

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use. Impact The /init-db/ page does not require any user...

6.9CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55468

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listen addr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary A...

5.3CVSS5.7AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55472

Description Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listen addr is set, which is the default. 3. Your node processes blocks past the checkpoint height non-finalized state is active. All...

8.7CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55454

Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications and specifically...

7.5CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55481

Summary Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display map parser function when using the leaflet service. Details The maps extension doesn't escape overlay names before passing them to leaflet. Leaflet then inserts them as HTML...

8.6CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55467

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listen addr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enable cookie auth = true, this requires the attacker to read the...

6.5CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55405

Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...

8.7CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55416

Impact Recce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API. When Recce is configured with a DuckDB-backed project, an attacker can use DuckDB filesystem primitives to read and...

7.8CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55351

Summary The aarch64 implementations of Cmov and CmovEq seem to assume that the high bits when loading a value of size smaller than a register into a register are zero-extended. However, this is not the case and these bits are unspecified. This can result in a left.cmovz&right, condition not movin...

6.9CVSS5.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55446

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.3 Description A path confinement bypass exists in the public web-client endpoint used for partial ZIP downloads of browsable shares. The system failed to correctly restrict client-supplied file entries to the...

5.9CVSS5.9AI score0.00057EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55447

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.3 Description A stored Cross-Site Scripting XSS issue exists where the inline query parameter on the browsable-share file download and authenticated user file download endpoints suppresses the Content-Disposition:...

3.7CVSS5.9AI score0.00028EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55465

Finding Location: core/src/shared/secure-fetch.ts:42-45 When new URL throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation. Status Fixed in v0.2.136 — The catch block now throws an error instead of silently...

8.7CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54953

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp db exclude table parameter. This is due to the direct concatenation of user-supplied $ POST'wp db exclude tabl...

7.2CVSS6.3AI score0.01588EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55366

Summary On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation. Details & PoC The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid Or you can use Address Sanitizer, which ignores...

7.3CVSS6.3AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55393

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections and is syncing or catching up to the chain tip. Summary A malicious peer can answer Zebra's outbound getblocks/FindBlocks request with a small two-hash inventory, then ser...

5.3CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55228

A NULL pointer dereference vulnerability for driver GFAC Sys x64.sys in Little Orbit GFAC allows a local attacker to cause a denial of service via crafted requests that trigger a system crash...

5.8AI score0.00169EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55268

Content removed...

5.3CVSS5.8AI score0.0033EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.25 views

PT-2026-55265

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55356

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listen addr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary A...

5.3CVSS5.7AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55258

A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi Network Application after such access had been removed...

7.5CVSS5.7AI score0.0019EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55012

Subscriber Broken Access Control in Advanced Contact form 7 DB = 2.0.9 versions...

6.5CVSS5.8AI score0.0034EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55018

Unauthenticated Cross Site Scripting XSS in WP Photo Album Plus = 9.2.02.004 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55017

Unauthenticated Cross Site Scripting XSS in Timetics = 1.0.58 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55320

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Online affected versions not specified Description Incorrect authorization allows an authorized attacker to elevate privileges over a network. Recommendations At the moment, there is no information about a newer version that...

8.8CVSS6AI score0.0063EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-54964

Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper = 1.1.4 versions...

7.5CVSS5.8AI score0.003EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55463

Summary The aarch64 implementations of Cmov and CmovEq seem to assume that the high bits when loading a value of size smaller than a register into a register are zero-extended. However, this is not the case and these bits are unspecified. This can result in a left.cmovz&right, condition not movin...

6.9CVSS5.5AI score
Exploits0References3
Total number of security vulnerabilities184549