Lucene search
K
PtsecurityRecent

184528 matches found

Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•7 views

PT-2026-55243

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints...

8.6CVSS5.8AI score0.00291EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-55340

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...

5.4CVSS5.6AI score0.00238EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•7 views

PT-2026-55374

Summary AssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds cascades deletion to every descendant folder and every asset inside, regardless of who uploaded them. A...

7.1CVSS6AI score0.00249EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•15 views

PT-2026-54965

Unauthenticated Cross Site Scripting XSS in Artale | Wedding Photography WordPress = 2.2.2 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-55245

Name of the Vulnerable Software and Affected Versions UniFi Protect Application affected versions not specified Description An Improper Initialization issue exists in the UniFi Protect Application. A malicious actor with network access could exploit this flaw under certain conditions to bypass...

8.1CVSS6.1AI score0.00254EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•12 views

PT-2026-55005

Unauthenticated Cross Site Scripting XSS in ChatBot = 8.3.2 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-55048

Unauthenticated Cross Site Request Forgery CSRF in SEOWP = 3.12.2 versions...

7.1CVSS5.8AI score0.00094EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•7 views

PT-2026-54874

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.0024EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55386

Summary An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. Impact An authenticated user with API access ca...

7.1CVSS6.1AI score0.00224EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•7 views

PT-2026-55327

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.0 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.12 WatchGuard Fireware OS versions 2025.1 through 2026.2 Description A race condition leads to a use-after-free issue in LDAP...

9.2CVSS6.3AI score0.00646EPSS
Exploits0References13
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•10 views

PT-2026-55413

Summary EntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the o...

7.6CVSS5.8AI score0.00245EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•16 views

PT-2026-55256

Name of the Vulnerable Software and Affected Versions obs tar scm source service versions prior to 0.12.4 Description A shellcode injection exists in the mercurial handler of the source service. Attackers who can provide a crafted service file can execute arbitrary code as the source service or t...

10CVSS6.2AI score0.00375EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•15 views

PT-2026-55271

Time-of-check Time-of-use TOCTOU race condition vulnerability in Erlang/OTP ssl dtls packet demux module allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. A DTLS server listener uses a single shared dtls packet demux gen server process to route incoming UD...

8.7CVSS5.8AI score0.00384EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-55319

Name of the Vulnerable Software and Affected Versions Azure OpenAI affected versions not specified Description A server-side request forgery SSRF issue exists in Azure OpenAI. This flaw allows an authorized attacker to elevate privileges over a network. SSRF is a vulnerability where an attacker c...

9.9CVSS5.9AI score0.00608EPSS
Exploits0References12
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55236

A malicious actor with access to the network and high privileges could exploit an Improper Access Control vulnerability found in UniFi Access Application to escalate privileges on the host device...

9.1CVSS5.8AI score0.00257EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55284

Name of the Vulnerable Software and Affected Versions TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress versions prior to 3.6.14 Description Insufficient file path validation in the delete converted image size function allows authenticated attackers with author-level access or...

8.1CVSS6.3AI score0.0067EPSS
Exploits0References15
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•14 views

PT-2026-55019

Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce = 12.10.3 versions...

9.8CVSS5.8AI score0.00336EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-55451

Impact A command injection vulnerability exists in electerm's file system operations rmrf, mv, cp in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters. Vulnerable functions: - rmrf - Uses rm...

8.8CVSS6.2AI score0.00072EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-54777

🔵 oras-go Hardlink Path Traversal Vulnerability CVE-2026-50163 -DC-Jul2026-817 https://t.co/aNknndn6M7...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•9 views

PT-2026-55367

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...

7.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•6 views

PT-2026-55555

These are all security issues fixed in the kernel-devel-7.1.2-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•9 views

PT-2026-55255

A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application...

8.1CVSS5.8AI score0.00201EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•7 views

PT-2026-55414

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listen addr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enable cookie auth = true, this requires the attacker to read the...

6.5CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•10 views

PT-2026-54880

Name of the Vulnerable Software and Affected Versions GeoWebPlayer affected versions not specified Description The GeoWebPlayer websocket server, used as an addon for GeoVision software such as GV-VMS and GV-Cloud, contains a memory corruption issue. The handle connection info function, which...

8.3CVSS6AI score0.00286EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-54940

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References9
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-54947

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS5.8AI score0.00441EPSS
Exploits0References11
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•12 views

PT-2026-54936

Name of the Vulnerable Software and Affected Versions Eclipse Parsson versions prior to 1.1.8 Description The JSON parser does not enforce a default maximum on the number of characters consumed when parsing a single JSON document. This allows an attacker to provide specially crafted JSON document...

7.5CVSS5.9AI score0.00366EPSS
Exploits0References10
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-54942

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service id' parameter due to missing validation on a user controlled key. This makes it possible for...

5.3CVSS5.8AI score0.00381EPSS
Exploits0References13
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•12 views

PT-2026-54613

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This require...

5.8AI score0.00168EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•17 views

PT-2026-54882

Name of the Vulnerable Software and Affected Versions GeoWebPlayer affected versions not specified Description The GeoWebPlayer websocket server, used as an addon for GeoVision software such as GV-VMS and GV-Cloud, contains a memory corruption issue. The handle connection info function, which...

8.3CVSS6AI score0.0028EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-54870

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•10 views

PT-2026-54878

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.9AI score0.00286EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-54776

🔵 oras-go Credential Leak via Unvalidated Location Header CVE-2026-50151 -DC-Jul2026-820 https://t.co/ZKaMBpuzbt...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•9 views

PT-2026-54946

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00333EPSS
Exploits0References13
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•6 views

PT-2026-54943

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information...

7.5CVSS5.9AI score0.0082EPSS
Exploits0References4
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•10 views

PT-2026-55455

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use. Impact The /init-db/ page does not require any user...

6.9CVSS5.8AI score0.00048EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-55342

Summary All Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mapped to Cloud Foundry's read basic data permission granted to Space Auditors and similar low-trust roles. Sensitive actuators including heap dump, environment, and thread dump do not raise this to...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References6
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55273

A stored Cross-Site Scripting XSS vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field. An attacker with administrative privilege...

7CVSS6AI score0.00177EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-55353

We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission. Description Craft CMS’s craftcontrollersAssetsController::actionMoveFolder supports moving an asset folder into a destination parent...

7.1CVSS5.9AI score0.00207EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•9 views

PT-2026-55362

Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications and specifically...

7.5CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•10 views

PT-2026-54871

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55303

Name of the Vulnerable Software and Affected Versions ntopng versions prior to 6.7 Description Predictable session identifiers can lead to session hijacking. The issue occurs because HTTP session identifiers in the src/HTTPserver.cpp file use weak time-seeded pseudo-randomness during session...

9.8CVSS5.9AI score0.00379EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-55482

Summary An unauthenticated path traversal in the LaunchServer HTTP file server FileServerHandler lets any remote actor read any file readable by the LaunchServer process e.g. ../../../../etc/passwd. This is a generic arbitrary-file-read primitive, so the fix must address the traversal itself, not...

9.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•18 views

PT-2026-55266

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.20 Craft CMS versions 4.0.0-RC1 through 4.17.13 Description An authorization issue exists where a forced folder move can delete a conflicting destination folder even if the user lacks the required...

7.1CVSS6AI score0.00207EPSS
Exploits0References7
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55423

Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change...

8.8CVSS6AI score0.00419EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•9 views

PT-2026-54869

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•13 views

PT-2026-55291

Name of the Vulnerable Software and Affected Versions RAGFlow versions prior to 0.26.3 Description An authenticated workspace user with permissions to create or edit an agent can perform a stored cross-site scripting attack. The agent update endpoint uses the normalize dsl function, which validat...

5.4CVSS6AI score0.00182EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•8 views

PT-2026-55336

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.0 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.12 WatchGuard Fireware OS versions 2025.1 through 2025.6.2 Description An issue exists in the backup/restore feature where firmware...

8.6CVSS6AI score0.00232EPSS
Exploits0References8
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•11 views

PT-2026-55047

Name of the Vulnerable Software and Affected Versions ProfileGrid versions prior to 5.9.9.8 Description An unauthenticated Cross Site Request Forgery CSRF issue exists, which could lead to account takeover. CSRF is a flaw that allows an attacker to trick a victim into performing actions they did...

8.8CVSS6AI score0.00142EPSS
Exploits0References5
Positive Technologies
Positive Technologies
•added 2026/07/02 12:0 a.m.•12 views

PT-2026-55311

Name of the Vulnerable Software and Affected Versions pdfcpu versions prior to 0.11.2 Description A denial-of-service issue exists where the parser descends recursively through nested PDF objects, including arrays, without enforcing a maximum nesting depth. This occurs within the ParseObjectConte...

7.5CVSS5.9AI score0.00451EPSS
Exploits0References5
Total number of security vulnerabilities184528