Lucene search
K
PtsecurityRecent

184298 matches found

Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57292

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into...

8.5CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57183

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.6CVSS6.4AI score
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57070

The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.2.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8CVSS6.3AI score0.00348EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57307

Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd. OAuth Single Sign On - SSO OAuth Client allows Password Recovery Exploitation. This issue affects OAuth Single Sign On - SSO OAuth Client: from n/a through 38.5.8...

9.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57310

Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls. When indexing pages larger than 4kB in the page freeing logic of the sparse memory implementation, incorrect buffer indexing leads to OOB access...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-57276

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57338

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation...

9.8CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57141

The Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lgx tooltip position' parameter in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This...

6.4CVSS6.2AI score0.00331EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57170

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57340

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend...

8.7CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57188

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are...

6.9CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-57148

R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000...

8.2CVSS6.1AI score0.00269EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57103

Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue...

6.1AI score0.00182EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57174

Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive...

7.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57248

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows SQL Injection. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not...

9.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57182

In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible...

3.5CVSS6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57246

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is...

8.8CVSS6.6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57229

Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way...

8.8CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57202

A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is...

6.5CVSS5.9AI score
Exploits0References6
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57159

Dell Unisphere for PowerMax, versions 10.3.0.5 and prior, contains a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...

8.8CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57113

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57209

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat pipeline/step/chat step/impl/base chat step.py do not consistently validate MCP transport type, allowing an...

8.8CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57207

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to uncheck...

7CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57212

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance denial of service...

5.3CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57326

OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated...

9.3CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57175

n8n before 1.123.24, 2.10.4, and 2.12.0 across its 1.x and 2.x branches contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions...

5.1CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57247

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57155

Dell PowerFlex Manager, Version prior to 5.1.0.1, contains an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability during OS Repository processing to achie...

9.1CVSS6.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57162

FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted...

8.1CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57339

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack...

8.7CVSS6.1AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57208

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to...

7CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57185

In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data...

7.3CVSS6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57158

Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part...

6.9CVSS6.1AI score
Exploits0References10
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57223

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin ...

9.2CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57206

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not...

4.4CVSS6.2AI score
Exploits0References5
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57260

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line Execution through SQL Injection. This issue affects SEM-PMP: through 23042026...

9.8CVSS6.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57314

Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel. A TOCTOU bug existed where a malicious driver could modify values in memory after firmware validation but befo...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57199

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...

5.1CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57228

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...

7.2CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57156

Dell PowerFlex Manager, Version prior to 5.1.0.1, contains an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure...

7.7CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57305

RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame length...

7.5CVSS6.1AI score
Exploits0References7
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57115

The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn faq content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes ...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-57160

Dell Unisphere for PowerMax, versions 10.3.0.5 and prior contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access...

5.3CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57144

A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...

9.3CVSS6.1AI score0.00424EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57173

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-57240

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-57138

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS6.2AI score0.00561EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57172

Capgo before 12.128.2 contains an improper validation vulnerability in the accept invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday9 views

PT-2026-57189

PraisonAI pip package praisonaiagents before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output file path. A repository-controlled config file can set output file to an absolute or '..'...

6.9CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday8 views

PT-2026-57074

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather style' and 'move direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's rende...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References5
Total number of security vulnerabilities184298