Lucene search
K
PtsecurityRecent

184508 matches found

Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55406

Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change...

4.8CVSS5.9AI score0.00093EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55297

Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...

8.2CVSS6AI score0.00246EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55457

Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...

7.5CVSS6.6AI score0.00147EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55052

Name of the Vulnerable Software and Affected Versions WP EasyCart versions prior to 5.9.1 Description An issue exists that allows users with contributor privileges to perform a SQL Injection. SQL Injection is a technique where malicious SQL statements are inserted into entry fields for execution,...

8.5CVSS6AI score0.0022EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55282

Name of the Vulnerable Software and Affected Versions Eclipse Wakaama versions prior to snapshot/2026-05-26 Description An unbounded memory allocation issue exists in the CoAP Block1 handler within the coap/block.c file. Unauthenticated remote attackers can cause a denial of service by sending a...

8.7CVSS6.2AI score0.00555EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55267

Observable Response Discrepancy vulnerability in Erlang OTP ssh ssh sftpd module allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH FXP REALPATH handler in ssh sftpd calls relate file name/3 with Canonicalize=false,...

2.3CVSS5.8AI score0.00262EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55410

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image both in terms of pixel width/height and encoded size to make the decoder decode large amounts of compressed data...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54974

Name of the Vulnerable Software and Affected Versions NativeChurch versions prior to 4.8.8.3 Description An unauthenticated Cross Site Scripting XSS issue exists, allowing attackers to execute malicious scripts without authentication. Recommendations Update NativeChurch to a version newer than...

7.1CVSS6AI score0.0018EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.6 views

PT-2026-55022

Subscriber Server Side Request Forgery SSRF in GeoDirectory = 2.8.161 versions...

6.4CVSS5.8AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55559

These are all security issues fixed in the perl-List-SomeUtils-XS-0.590.0-1.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS5.9AI score0.00419EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-55239

Name of the Vulnerable Software and Affected Versions UniFi OS affected versions not specified Description A path traversal issue exists in certain devices running UniFi OS. A malicious actor with network access can exploit this to bypass authentication on the affected devices or instances. Path...

8.6CVSS6AI score0.00457EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55323

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.0 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.12 WatchGuard Fireware OS versions 2025.1 through 2026.2 Description An Out-of-bounds Write issue exists in the CLI, where an...

8.6CVSS6.3AI score0.00468EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55203

Missing authentication for critical function vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117...

9.8CVSS5.8AI score0.00333EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.14 views

PT-2026-55471

Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...

9.3CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-54951

Name of the Vulnerable Software and Affected Versions Database for Contact Form 7, WPforms, Elementor forms versions prior to 1.5.2 Description An arbitrary file copy issue exists in the create entry el function. The function retrieves the raw value from the Elementor Pro Form Record object for...

6.5CVSS6AI score0.00372EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55561

These are all security issues fixed in the python314-3.14.6-1.1 package on the GA media of openSUSE Tumbleweed...

9.1CVSS6.1AI score0.02602EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-54963

Subscriber Local File Inclusion in Tourmaster = 5.4.5 versions...

7.5CVSS5.8AI score0.004EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55387

Summary Langroid's ReadFileTool and WriteFileTool appear to treat curr dir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to curr dir and then operate on the user-supplied file path without resolving and enforcing that...

7.1CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55003

Unauthenticated Cross Site Scripting XSS in eCommerce Product Catalog = 3.5.4 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55251

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery SSRF in UniFi Protect Application to escalate privileges on the host device...

9.9CVSS5.8AI score0.00232EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.20 views

PT-2026-55198

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do image upload function where user-supplied input from the acceptFileTypes PO...

9.8CVSS6AI score0.00542EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-54958

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2 token verify function returns success for a malformed DPoP proof that...

5.1CVSS5.8AI score0.00128EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.7 views

PT-2026-54873

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00286EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55399

Summary DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic...

7.5CVSS5.8AI score0.00339EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.8 views

PT-2026-55315

Name of the Vulnerable Software and Affected Versions Libreswan affected versions not specified Description Libreswan fails to correctly verify the authentication hash length when the SIG payload of an IKEv1 packet is encoded using PKCS 1 RSA Encryption. This occurs within the RSA authenticate ha...

8.1CVSS6.5AI score0.00392EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55050

Name of the Vulnerable Software and Affected Versions Structured Content versions prior to 1.7.1 Description Cross Site Scripting XSS allows an attacker with contributor privileges to execute malicious scripts in the browser of other users. Recommendations Update Structured Content to a version...

6.5CVSS6AI score0.00139EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.17 views

PT-2026-55337

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 12.1 through 12.12 WatchGuard Fireware OS versions 2025.1 through 2026.2 Description WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal...

5.9CVSS5.9AI score0.00134EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55476

Impact In JSONata = 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. References...

7.5CVSS5.7AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55314

Name of the Vulnerable Software and Affected Versions Libreswan affected versions not specified Description An invalidly formatted IKEv2 fragment can cause the pluto daemon to crash and restart, leading to a denial of service. The issue occurs within the reassemble v2 incoming fragments function,...

7.5CVSS6.4AI score0.00597EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-54983

Unauthenticated Broken Access Control in NOWPayments for WooCommerce = 1.4.0 versions...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55263

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed...

9.8CVSS6.5AI score0.00708EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55037

Name of the Vulnerable Software and Affected Versions SportsPress Pro versions 2.7.29 and earlier Description A Local File Inclusion LFI issue exists where users with Contributor privileges can read local files on the server. Local File Inclusion is a vulnerability that allows an attacker to indu...

7.5CVSS5.9AI score0.00278EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.12 views

PT-2026-55260

Name of the Vulnerable Software and Affected Versions Flowmon ADS versions prior to 12.5.6 Flowmon ADS versions prior to 13.0.5 Description An authenticated low-privileged user in the Anomaly Detection System ADS can send specially crafted requests to gain unauthorized access to application data...

8.7CVSS5.9AI score0.00247EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54640

Name of the Vulnerable Software and Affected Versions Request a Quote versions prior to 2.5.6 Description The Request a Quote plugin for WordPress allows unauthenticated attackers to perform code injection. The issue occurs because the emd delete file function derives a PHP function name from the...

7.5CVSS6.1AI score0.00333EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55370

Summary A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. Impact An authenticated user with campaign import...

9.9CVSS6.1AI score0.00583EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55412

We have identified an authorization issue in Craft CMS AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. Description Craft CMS’s craftcontrollersAssetsController::actionReplaceFile supports replacing a...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54998

Subscriber Broken Access Control in Classified Listing = 5.4.2 versions...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-54959

Unauthenticated Local File Inclusion in Lighthouse = 1.2.12 versions...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55292

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS5.8AI score0.00154EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55449

Impact A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join with the user-selected download directory without sanitization. A malicious...

7.1CVSS6AI score0.00034EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.13 views

PT-2026-54511

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permission callback performi...

4.3CVSS5.9AI score0.00257EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.9 views

PT-2026-55429

These are all security issues fixed in the c3p0-0.14.1-1.1 package on the GA media of openSUSE Tumbleweed...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.6 views

PT-2026-54804

In the Linux kernel, the following vulnerability has been resolved: nvmem: layouts: onie-tlv: fix hang on unknown types The EEPROM on my board has a vendor specific entry of type 0x41. When stumbling upon that, this driver hangs in an endless loop. Fix it by keep incrementing the offset on unknow...

5.8AI score0.00156EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54781

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.14 Craft CMS versions 5.0.0-RC1 through 5.9.21 Description An issue exists in the AssetsController::actionDeleteFolder function where the system only verifies the deleteAssets: permission for the targe...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-55163

Summary A memory-safety vulnerability in Open Babel's Gaussian output parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the coords type orientation parser inside the Gaussian output reader. A malformed orientation block caused the parser to write pas...

7.8CVSS6.7AI score0.00704EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.9 views

PT-2026-54789

SQL Injection vulnerability in GoAdminGroup GoAdmin last release v1.2.26 allows a remote attacker to execute arbitrary code and obtain sensitive information via the the sort type URL parameter on all /admin/info/table endpoints...

6.5CVSS6.2AI score0.00336EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-55171

sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...

6.5CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.6 views

PT-2026-55113

The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...

6.9CVSS5.7AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54790

An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip fixed in Pivotal CRM 6.6.5.10 and Patch CWE502 20260316.zip allows a remote attacker to execute arbitrary code via the Pivotal.Engine.Client.Services.Conversion.dll component. NOTE: this issue exists because o...

6.2AI score0.0113EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-55129

Untrusted Project Bootstrap Code Execution via CLAUDE PROJECT DIR Summary The Cortex MCP server neuro-cortex-memory treats the CLAUDE PROJECT DIR environment variable — automatically set by Claude Code to the currently open project directory — as a trusted Cortex developer checkout. When the open...

8.5CVSS6.6AI score
Exploits0References4
Total number of security vulnerabilities184508