PT-2026-46179

Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635...

PT-2026-46176

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The web administration panel binds broadly to the public IPv6 address space on port ':::8080' without default firewall limits. This configuration allows internal...

PT-2026-46169

Stack-based buffer overflow vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before ce72b35a7ad0dded03051d3aa0ef75321c3bd035...

PT-2026-46177

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The registration endpoint '/v1/account/register' lacks bot mitigation mechanisms. This allows malicious automated systems to perform account creation exhaustion,...

PT-2026-46167

A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHasher. Executing a manipulation can lead to use of weak hash. The attack requires local access. A hig...

PT-2026-46172

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error...

PT-2026-46168

Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945...

PT-2026-46174

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41...

PT-2026-46170

Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation. This issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd...

PT-2026-46173

Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Integer Attacks. This issue affects rlottie: before 21292665023e5074b38254432716866d00f1985f...

PT-2026-46192

Name of the Vulnerable Software and Affected Versions OpenShift Cloud Credential Operator affected versions not specified Description A flaw exists in the Mint-mode IAM policies for AWS within the OpenShift Cloud Credential Operator. Operator credentials are provisioned with account-wide scope fo...

PT-2026-46195

This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead ...

PT-2026-46189

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.1 Description A flaw in the Dataset Digest Computation component allows the use of a weak hash. This issue occurs within the mlflow.data.digest utils function located in the mlflow/data/digest utils.py file. An...

PT-2026-46182

A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior...

PT-2026-46190

Name of the Vulnerable Software and Affected Versions Streamlit versions prior to 1.53.0 Description An issue exists in the Palette Handler component within the lib/streamlit/runtime/caching/hashing.py library. Manipulation of an unknown function in this library can lead to the use of a weak hash...

PT-2026-46188

A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attac...

PT-2026-46183

HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expecte...

PT-2026-46185

HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting XSS attacks by enabling the built-in XSS filtering mechanisms of modern web browsers...

PT-2026-46187

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters...

PT-2026-46191

Name of the Vulnerable Software and Affected Versions OpenShift Pipelines operator affected versions not specified Description A flaw in the OpenShift Pipelines operator occurs because the tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue...

PT-2026-46184

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

PT-2026-46194

This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted...

PT-2026-46193

Name of the Vulnerable Software and Affected Versions TeknoPass versions 20210501 through 20260429 Description An authorization bypass exists due to a user-controlled SQL primary key issue, which allows for SQL Injection. SQL Injection is a technique where an attacker inserts malicious SQL code...

PT-2026-46181

Name of the Vulnerable Software and Affected Versions WP eMember versions prior to 10.2.3 Description An issue in the software allows the retrieval of embedded sensitive system information by an unauthorized control sphere. Recommendations Update to a version later than 10.2.2...

PT-2026-46180

A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template. save pil image of the file swift/template/base.py of the component PIL Image Cache Key Handler. The manipulation leads to use of weak hash. An attack has to be approached locally. A...

PT-2026-46250

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not...

PT-2026-46204

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

PT-2026-46197

WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=export csv and a malicious path...

PT-2026-46220

A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change profile image.php. Executing a manipulation of the argument pr profile image can lead to unrestricted upload. The attack may be launched remotely...

PT-2026-46211

Mobatek MobaXterm 12.1 contains a structured exception handling SEH based buffer overflow vulnerability in the username field of session files that allows remote attackers to execute arbitrary code. Attackers can craft a malicious MobaXterm sessions file with overflow data that triggers the...

PT-2026-46201

Name of the Vulnerable Software and Affected Versions Zuz Music version 2.1 Description A persistent cross-site scripting issue allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. The injection occurs via the name, subject, and message paramete...

PT-2026-46209

Name of the Vulnerable Software and Affected Versions GigToDo version 1.3 Description A persistent cross-site scripting issue allows authenticated attackers to inject malicious HTML and JavaScript code. This occurs via the proposal description field through the 'create proposal' endpoint. The...

PT-2026-46206

LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the Host IP field. Attackers can craft a specially formatted input file with shellcode and overwrite the return address to execute calc.ex...

PT-2026-46203

NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Attackers can craft a payload with overwritten SEH and NSEH pointers through the Restrictions custom filter field to...

PT-2026-46218

Name of the Vulnerable Software and Affected Versions HCL BigFix Cloud Lifecycle Management affected versions not specified Description Lack of input validation in HCL BigFix Cloud Lifecycle Management may lead to information exposure. This flaw allows unauthorized access to sensitive data...

PT-2026-46213

Name of the Vulnerable Software and Affected Versions Soliloquy Lite version 2.5.6 Description A persistent cross-site scripting issue allows authenticated attackers to inject malicious scripts by inserting script tags into the post title field. This is achieved by submitting POST requests to the...

PT-2026-46221

A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /manage student.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be us...

PT-2026-46198

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck config cookie parameter. Attackers can inject malicious SQL through the ck config cookie in multiple endpoints including login.php,...

PT-2026-46214

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payload...

PT-2026-46219

A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add post.php. Performing a manipulation of the argument up file to post results in unrestricted upload. The attack may be initiated remotely. The exploit has...

PT-2026-46215

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with malicious 'tid'...

PT-2026-46210

Joomla com jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field 2 parameter to delete...

PT-2026-46205

AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code...

PT-2026-46200

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to...

PT-2026-46208

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc ajax save option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set t...

PT-2026-46199

PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shell...

PT-2026-46207

Name of the Vulnerable Software and Affected Versions Live Chat Unlimited version 2.8.3 Description A stored cross-site scripting issue allows unauthenticated attackers to inject malicious scripts via the chat input field. By submitting payloads containing script tags and event handlers, attacker...

PT-2026-46212

Name of the Vulnerable Software and Affected Versions Zoner Real Estate version 4.1.1 Description A persistent cross-site scripting issue exists where authenticated agents can inject malicious JavaScript payloads through the Address input field during property creation. These scripts execute when...

PT-2026-46202

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the query parameter to...

PT-2026-46196

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id...