PT-2026-46690

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description A use after free issue in Messages allows a remote attacker to potentially perform a sandbox escape by using a crafted HTML page. Use after free is a memory corruption flaw...

PT-2026-46635

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 149.0.7827.53 Description An inappropriate implementation in the Near Field Communication NFC component allows a remote attacker to perform privilege escalation through the use of a crafted HTML page...

PT-2026-46602

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 149.0.7827.53 Description A use after free issue in WebRTC allows a remote attacker to execute arbitrary code through a specially crafted HTML page. Use after free is a memory corruption flaw that occur...

PT-2026-46808

Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. Chromium security severity: Low...

PT-2026-46788

Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

PT-2026-46777

Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: Low...

PT-2026-46810

Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. Chromium security severity: Low...

PT-2026-46778

Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. Chromium security severity: Low...

PT-2026-46796

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. Chromium security severity: Low...

PT-2026-46792

Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

PT-2026-46806

Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Low...

PT-2026-46809

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 149.0.7827.53 Description Insufficient policy enforcement in the Sandbox allows a remote attacker to potentially perform a sandbox escape by using a crafted HTML page. A sandbox escape occurs when a...

PT-2026-46800

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...

PT-2026-46787

Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. Chromium security severity: Low...

PT-2026-46829

Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. Chromium security severity: Low...

PT-2026-46825

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...

PT-2026-46836

Insufficient policy enforcement in History in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

PT-2026-46428

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 149.0.7827.53 Description A use after free issue in Ozone allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This occurs when a user is convinced to perform specifi...

PT-2026-49153

Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning guarded defer after StartProcessing, disabled when the asynchronous goroutine takes...

PT-2026-49162

Root has patched NSWG-ECO-428 in the @rootio/base64url package for Root:npm. Multiple fixed versions available...

PT-2026-46750

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description A use after free issue in Chromoting allows a remote attacker to execute arbitrary code through malicious network traffic. Use after free is a memory corruption flaw that occurs when an...

PT-2026-49156

Summary CSV formula injection also known as formula injection or CSV injection affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user da...

PT-2026-49152

Unknown description...

PT-2026-49155

Impact On May 19, 2026, a compromised version of @cap-js/[email protected] was published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine npm tokens, cloud provider credentials, SSH keys,...

PT-2026-49161

Root has patched NSWG-ECO-17 in the @rootio/jsonwebtoken package for Root:npm. Multiple fixed versions available...

PT-2026-49154

Unauthenticated Stored DOM XSS via page title Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

PT-2026-49160

Root has patched NSWG-ECO-154 in the @rootio/sanitize-html package for Root:npm. Multiple fixed versions available...

PT-2026-46812

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 149.0.7827.53 Description An inappropriate implementation in Chrome for iOS allows a remote attacker to perform UI spoofing, which is the act of mimicking a legitimate user interface to deceive users, by...

PT-2026-46189

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.1 Description A flaw in the Dataset Digest Computation component allows the use of a weak hash. This issue occurs within the mlflow.data.digest utils function located in the mlflow/data/digest utils.py file. An...

PT-2026-46392

Name of the Vulnerable Software and Affected Versions Arista EOS affected versions not specified Description When operating in 802.1X mode, multi-auth unauthenticated hosts may be granted unauthorized access to a switch port if an EAPOL Extensible Authentication Protocol over LAN capable device i...

PT-2026-46408

A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument social insta leads to sql injection. The attack may be initiated remotely. The exploit is publicly...

PT-2026-46256

bacnet stack 1.3.1 contains an Out-of-bounds Read in bacnet tag number decode which allows attackers to cause a denial of service...

PT-2026-46387

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

PT-2026-46210

Joomla com jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field 2 parameter to delete...

PT-2026-46331

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46156

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...

PT-2026-46327

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46333

That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...

PT-2026-46155

Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...

PT-2026-46205

AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code...

PT-2026-46315

Name of the Vulnerable Software and Affected Versions netty incubator codec-ohttp versions prior to 0.0.22.Final Description The codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp fails to verify the receipt of a cryptographically-signed final chunk before the outer HTTP body terminates...

PT-2026-46627

Name of the Vulnerable Software and Affected Versions Google Chrome on Mac versions prior to 149.0.7827.53 Description A use after free issue exists in the File Input component. A remote attacker can potentially perform a sandbox escape by convincing a user to perform specific UI gestures while...

PT-2026-46884

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/ action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses th...

PT-2026-46201

Name of the Vulnerable Software and Affected Versions Zuz Music version 2.1 Description A persistent cross-site scripting issue allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. The injection occurs via the name, subject, and message paramete...

PT-2026-46319

Name of the Vulnerable Software and Affected Versions Bluetooth Mesh affected versions not specified Description An integer underflow occurs in the bt mesh sol recv function within the Bluetooth Mesh solicitation handling. When CONFIG BT MESH OD PRIV PROXY SRV is enabled, the function parses...

PT-2026-46191

Name of the Vulnerable Software and Affected Versions OpenShift Pipelines operator affected versions not specified Description A flaw in the OpenShift Pipelines operator occurs because the tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue...

PT-2026-46856

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

PT-2026-49129

This crate provides Rust bindings to the HQC key encapsulation mechanism via C implementations from PQClean. The PQClean project is being archived in or after July 2026 see PQClean/PQClean604, after which no further security patches or bug fixes will be applied to the upstream implementations. As...

PT-2026-45902

Name of the Vulnerable Software and Affected Versions FreeIPMI versions prior to 1.16.18 Description The ipmi-oem client command, which implements Intelligent Platform Management Interface IPMI OEM commands for specific hardware vendors, contains buffer overflows on response messages. This issue...

PT-2026-46032

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A NULL pointer dereference occurs in the k230 pinctrl driver during the probing process when parsing the devicetree. The issue arises within the k230 pinctrl parse functions function,...