Lucene search
K
PtsecurityRecent

184496 matches found

Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53905

Name of the Vulnerable Software and Affected Versions ColdFusion versions prior to 2025.10 Description A Server-Side Request Forgery SSRF issue allows an attacker to bypass security features and obtain unauthorized read access. This flaw can be exploited without any user interaction...

8.6CVSS5.8AI score0.00439EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53878

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.7 Description A middleware scoping flaw exists where plugin prefixes are not applied to middleware mount paths when the mount path is provided as an array or a regular expression. This occurs due to...

9.1CVSS6AI score0.00295EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53920

Name of the Vulnerable Software and Affected Versions Vibe-Trading versions prior to 0.1.10 Description The local API server trusts the TCP peer address to bypass the API AUTH KEY bearer-token check for loopback clients and lacks Host header validation while binding to 0.0.0.0 with credentialed...

7.7CVSS6.6AI score0.00286EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53836

Name of the Vulnerable Software and Affected Versions EventON - WordPress Virtual Event Calendar Plugin versions prior to 5.0.12 Description An issue exists where unauthenticated attackers can perform SQL Injection, a technique used to interfere with the queries that an application makes to its...

9.8CVSS6AI score0.00438EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53908

Name of the Vulnerable Software and Affected Versions ColdFusion versions 2023.20 and earlier ColdFusion version 2025.9 Description An Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal, allows an attacker to access sensitive files and directories outside th...

9.3CVSS6.2AI score0.01577EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53882

SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue...

5.4CVSS5.7AI score0.00348EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53866

Name of the Vulnerable Software and Affected Versions NetScaler ADC affected versions not specified NetScaler Gateway affected versions not specified Description An unauthenticated arbitrary file read issue exists when access to the NSIP NetScaler IP, Cluster Management IP, or SNIP Subnet IP with...

7.5CVSS5.9AI score0.00415EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53970

Name of the Vulnerable Software and Affected Versions IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 Description An XML external entity injection XXE occurs when processing XML data. This allows a remote attacker to expose sensitive information or consume memory...

9.1CVSS6AI score0.00406EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-54445

Name of the Vulnerable Software and Affected Versions Sigstore Timestamp Authority versions prior to v2.0.7 Description An unauthenticated remote attacker can cause unbounded memory growth on the timestamp authority server. The issue occurs because the wrapMetrics middleware records the raw HTTP...

5.9CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53982

Name of the Vulnerable Software and Affected Versions IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 Description The software transmits data in clear text, which could allow an attacker to obtain sensitive information using man-in-the-middle techniques. Man-in-the-middle is a type of...

5.9CVSS5.9AI score0.00203EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53950

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.10.0 Description Langflow uses a weak and reversible key derivation mechanism for encryption at rest, which could lead to the disclosure of all stored credentials. Recommendations At the moment, there ...

9.1CVSS5.9AI score0.00164EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53864

fzf is vulnerable to a Denial of Service DoS due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity On². A crafted POST request with many small segments can trigger excessive...

5.7CVSS5.7AI score0.00243EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53954

Name of the Vulnerable Software and Affected Versions IBM Db2 versions 11.5.0 through 11.5.9 IBM Db2 versions 12.1.0 through 12.1.4 Description Remote code execution is possible due to improper handling of the pre-authentication DRDA Distributed Relational Database Architecture handshake. This fl...

9.8CVSS6.3AI score0.0086EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53992

Name of the Vulnerable Software and Affected Versions DCMTK affected versions not specified Description A compromised or malicious server can force a client to write files outside the designated output directory. This occurs when the client uses the bit-preserving C-GET storage mode, allowing the...

9.8CVSS5.8AI score0.00435EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55071

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. Th...

4CVSS5.8AI score0.0014EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55185

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.8AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54021

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authentication bypass exists due to an improper NULL comparison in the authorization gate. Unauthenticated attackers can exploit this by using a public API key to access the PostgREST RPC endpoin...

8.7CVSS5.8AI score0.00341EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54253

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An inappropriate implementation in the HTMLParser allows a remote attacker to perform Universal Cross-Site Scripting UXSS, which is a vulnerability that allows scripts to execute across...

9.6CVSS6.2AI score0.00413EPSS
Exploits0References448
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-53871

A flaw was found in GLib. A buffer over-read can occur in the g regex replace function when used with the G REGEX RAW compile flag and case-change replacement escapes because the string append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the...

6.5CVSS5.9AI score0.00322EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54427

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An out-of-bounds read and write issue exists in ANGLE, a compatibility layer that allows OpenGL ES APIs to run on non-native platforms. This flaw allows a remote attacker who has alread...

9.6CVSS6AI score0.00413EPSS
Exploits0References448
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54274

Name of the Vulnerable Software and Affected Versions Google Chrome on Mac versions prior to 150.0.7871.47 Description An issue in the File Input security UI allows a remote attacker to perform UI spoofing via a crafted HTML page. This occurs when a user is convinced to perform specific UI...

9.6CVSS6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-54271

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 150.0.7871.47 Description Insufficient validation of untrusted input in the Autofill feature allows a remote attacker to perform UI spoofing via a crafted HTML page. UI spoofing is a technique where a...

9.6CVSS6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53875

A flaw was found in GLib. A state confusion issue exists in g dbus node info new for xml in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a element nested within other elements like , , or . This issue can cause an unsigned integer overflow...

7.5CVSS5.8AI score0.00373EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53873

Name of the Vulnerable Software and Affected Versions glib2 affected versions not specified mingw-glib2 affected versions not specified Description An off-by-one error exists in the g key file get locale string list function within the gkeyfile.c file. This issue occurs when the software loads a...

8.6CVSS6AI score0.00293EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-54084

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 150.0.7871.47 Description A use after free issue exists in the Import component. This occurs when a remote attacker convinces a user to perform specific UI gestures, potentially leading to arbitrary code...

9.6CVSS6.6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-54157

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description A use after free issue exists in the USB component of Google Chrome on Mac. This flaw allows a remote attacker who has already compromised the renderer process to potentially achieve a...

9.6CVSS6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53872

A flaw was found in GLib. A buffer over-read can occur in g io channel read line backend in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7...

6.5CVSS5.9AI score0.00329EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53874

Name of the Vulnerable Software and Affected Versions GLib affected versions not specified Description A flaw exists in the D-Bus client-side implementation of the DBUS COOKIE SHA1 SASL authentication mechanism. The system fails to validate the cookie context parameter received from the server. A...

7.5CVSS6.1AI score0.00418EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-53869

A flaw was found in GLib. An off-by-one error can occur in the gvs tuple is normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses instead of =, causing an out-of-bounds read of only 1 byte. This issue can cause a minor informati...

6.5CVSS5.7AI score0.00322EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-54374

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 150.0.7871.47 Description A use after free issue exists where a remote attacker can potentially exploit heap corruption via a crafted HTML page. This occurs when a user is convinced to perform specific UI...

9.6CVSS6AI score0.00413EPSS
Exploits0References446
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-53870

A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g date time get ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g date time add full function is processed. This flaw can corrupt the date output and potentially cause logic...

6.5CVSS5.7AI score0.00344EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53899

A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service...

5.3CVSS5.7AI score0.00292EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53965

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 26.0.0.6 Description An arbitrary file read issue exists when the restConnector-2.0 feature is enabled. This allows an attacker to read files from the system that they should...

7.5CVSS6.1AI score0.00472EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53906

Name of the Vulnerable Software and Affected Versions Adobe Campaign Classic versions prior to 7.4.3 build 9396 Description An incorrect authorization issue exists that allows for arbitrary code execution in the context of the current user. This flaw does not require user interaction to be...

10CVSS7.5AI score0.00712EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53815

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks...

5.8AI score0.00262EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-55068

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer HEADERS with FIN / headers-only close but still carries a nonzero...

7.5CVSS5.7AI score0.00298EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55076

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS5.8AI score0.00204EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55075

Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully...

5.3CVSS5.8AI score0.00214EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-55194

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFE NO PROTOCOL RE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decode...

7.5CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55187

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of executor-http were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials a...

5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-54442

Summary @cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under...

8.8CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55191

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of mrbios were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials and...

5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-55184

These are all security issues fixed in the libxreaderdocument3-4.6.5-1.1 package on the GA media of openSUSE Tumbleweed...

8.4CVSS5.8AI score0.00529EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55070

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in...

5.8CVSS5.8AI score0.00197EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-55073

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-53919

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed mcp tools function returning None instead of a denied result when mcp tools is omitted from a user's grant in deeptutor/multi user/too...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53816

Name of the Vulnerable Software and Affected Versions Export User Data versions prior to 2.2.7 Description Insufficient file path validation in the unserialize function allows authenticated attackers with subscriber-level access or higher to delete arbitrary files on the server. This occurs when ...

8CVSS6.4AI score0.00341EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53933

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 23.0.3 Description Authenticated API users can exfiltrate arbitrary database contents, including password hashes and API keys, via a SQL injection. The issue occurs when malicious values are supplied to the sqlfilter...

7.6CVSS6.1AI score0.00221EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53865

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows Stored XSS. This issue affects SYSGUARD 6001: from 2.0.2 before 6.1.4.0. NOTE: The vendor was contacted and it...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.13 views

PT-2026-54002

Name of the Vulnerable Software and Affected Versions UTT nv518G nv518GV3 version 3.2.7-210919-161313 Description A buffer overflow occurs in the gohead/sub 416f28 component, which allows a remote attacker to trigger a denial of service. A buffer overflow is a condition where a program writes mor...

7.5CVSS6.2AI score0.00452EPSS
Exploits0References5
Total number of security vulnerabilities184496