Lucene search
K
PtsecurityRecent

184491 matches found

Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54036

Capgo before 12.128.2 contains improper error handling in the /private/accept invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic invite string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic invite string...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53947

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.10.0 Description Improper validation of flow nodes that have missing or empty component type fields can lead to arbitrary code execution. Arbitrary code execution occurs when an attacker can run...

9.8CVSS6.6AI score0.00357EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-54001

Name of the Vulnerable Software and Affected Versions DokuWiki version 2025-05-14b "Librarian" 56.2 Description A remote attacker can execute arbitrary code through the register function in the inc/auth.php file. This issue may also allow the creation of unauthorized accounts via the same functio...

9.8CVSS6.3AI score0.0051EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55177

These are all security issues fixed in the libnghttp2-14-1.69.0-2.1 package on the GA media of openSUSE Tumbleweed...

6.3CVSS6AI score0.00202EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.21 views

PT-2026-55276

CVE ID :CVE-2026-47105 Published : June 30, 2026, 12:50 p.m. | 36 minutes ago Description :None Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53848

Hospital Quening Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation...

8.7CVSS5.8AI score0.00437EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53984

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web...

5.9CVSS5.8AI score0.00296EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53951

Name of the Vulnerable Software and Affected Versions IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 Description Improper validation in the XDF decoder allows an adjacent attacker to cause a denial of service. The application processes deeply nested Protocol Buffers messages and...

6.5CVSS6AI score0.00269EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-54037

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Authenticated organization administrators can bypass server-side validation within organization security settings to persist an invalid security policy state. This is achieved by directly updating t...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54046

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-24 Description An incorrect policy check allows remote attackers to bypass path policy restrictions in sandboxed conversion services. This flaw enables the creation or truncation of files that are disallowed...

7.1CVSS5.9AI score0.00226EPSS
Exploits1References23
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53928

Name of the Vulnerable Software and Affected Versions Woodpecker versions prior to 3.15.0 Description When using the GitLab forge driver, the system matches the ApprovalAllowedUsers bypass list against the pipeline.Author variable. The pipeline.Author is populated from the commit.author.name...

9.2CVSS6.1AI score0.00546EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53896

A Rancher FleetWorkspace admission path allowed side effects to occur in the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to the in-cluster rancher-webhook service could submi...

7CVSS5.7AI score0.00232EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53943

Name of the Vulnerable Software and Affected Versions IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 Description The Object Query Language OQL engine resolves class names provided by an attacker using Class.forName and invokes their constructors without an allow-list at three sinks:...

9.9CVSS6.2AI score0.00283EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53905

Name of the Vulnerable Software and Affected Versions ColdFusion versions prior to 2025.10 Description A Server-Side Request Forgery SSRF issue allows an attacker to bypass security features and obtain unauthorized read access. This flaw can be exploited without any user interaction...

8.6CVSS5.8AI score0.00439EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53878

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.7 Description A middleware scoping flaw exists where plugin prefixes are not applied to middleware mount paths when the mount path is provided as an array or a regular expression. This occurs due to...

9.1CVSS6AI score0.00295EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53920

Name of the Vulnerable Software and Affected Versions Vibe-Trading versions prior to 0.1.10 Description The local API server trusts the TCP peer address to bypass the API AUTH KEY bearer-token check for loopback clients and lacks Host header validation while binding to 0.0.0.0 with credentialed...

7.7CVSS6.6AI score0.00286EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53836

Name of the Vulnerable Software and Affected Versions EventON - WordPress Virtual Event Calendar Plugin versions prior to 5.0.12 Description An issue exists where unauthenticated attackers can perform SQL Injection, a technique used to interfere with the queries that an application makes to its...

9.8CVSS6AI score0.00438EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53899

A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service...

5.3CVSS5.7AI score0.00292EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53908

Name of the Vulnerable Software and Affected Versions ColdFusion versions 2023.20 and earlier ColdFusion version 2025.9 Description An Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal, allows an attacker to access sensitive files and directories outside th...

9.3CVSS6.2AI score0.01577EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53882

SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue...

5.4CVSS5.7AI score0.00348EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53866

Name of the Vulnerable Software and Affected Versions NetScaler ADC affected versions not specified NetScaler Gateway affected versions not specified Description An unauthenticated arbitrary file read issue exists when access to the NSIP NetScaler IP, Cluster Management IP, or SNIP Subnet IP with...

7.5CVSS5.9AI score0.00415EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53970

Name of the Vulnerable Software and Affected Versions IBM Business Automation Manager Open Editions versions 9.0.0 through 9.4.2 Description An XML external entity injection XXE occurs when processing XML data. This allows a remote attacker to expose sensitive information or consume memory...

9.1CVSS6AI score0.00406EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-54445

Name of the Vulnerable Software and Affected Versions Sigstore Timestamp Authority versions prior to v2.0.7 Description An unauthenticated remote attacker can cause unbounded memory growth on the timestamp authority server. The issue occurs because the wrapMetrics middleware records the raw HTTP...

5.9CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-53982

Name of the Vulnerable Software and Affected Versions IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 Description The software transmits data in clear text, which could allow an attacker to obtain sensitive information using man-in-the-middle techniques. Man-in-the-middle is a type of...

5.9CVSS5.9AI score0.00203EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53950

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.10.0 Description Langflow uses a weak and reversible key derivation mechanism for encryption at rest, which could lead to the disclosure of all stored credentials. Recommendations At the moment, there ...

9.1CVSS5.9AI score0.00164EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53864

fzf is vulnerable to a Denial of Service DoS due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity On². A crafted POST request with many small segments can trigger excessive...

5.7CVSS5.7AI score0.00243EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53954

Name of the Vulnerable Software and Affected Versions IBM Db2 versions 11.5.0 through 11.5.9 IBM Db2 versions 12.1.0 through 12.1.4 Description Remote code execution is possible due to improper handling of the pre-authentication DRDA Distributed Relational Database Architecture handshake. This fl...

9.8CVSS6.3AI score0.0086EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53992

Name of the Vulnerable Software and Affected Versions DCMTK affected versions not specified Description A compromised or malicious server can force a client to write files outside the designated output directory. This occurs when the client uses the bit-preserving C-GET storage mode, allowing the...

9.8CVSS5.8AI score0.00435EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55071

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. Th...

4CVSS5.8AI score0.0014EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55185

In the Tarfile.extract function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function...

5.8AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54021

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authentication bypass exists due to an improper NULL comparison in the authorization gate. Unauthenticated attackers can exploit this by using a public API key to access the PostgREST RPC endpoin...

8.7CVSS5.8AI score0.00341EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53815

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks...

5.8AI score0.00262EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-55068

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer HEADERS with FIN / headers-only close but still carries a nonzero...

7.5CVSS5.7AI score0.00298EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55076

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS5.8AI score0.00204EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55075

Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully...

5.3CVSS5.8AI score0.00214EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-55194

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFE NO PROTOCOL RE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decode...

7.5CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55187

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of executor-http were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials a...

5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-54442

Summary @cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under...

8.8CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-55191

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of mrbios were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials and...

5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-55184

These are all security issues fixed in the libxreaderdocument3-4.6.5-1.1 package on the GA media of openSUSE Tumbleweed...

8.4CVSS5.8AI score0.00529EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-55070

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in...

5.8CVSS5.8AI score0.00197EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-55073

Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.6 views

PT-2026-53919

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed mcp tools function returning None instead of a denied result when mcp tools is omitted from a user's grant in deeptutor/multi user/too...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.14 views

PT-2026-53816

Name of the Vulnerable Software and Affected Versions Export User Data versions prior to 2.2.7 Description Insufficient file path validation in the unserialize function allows authenticated attackers with subscriber-level access or higher to delete arbitrary files on the server. This occurs when ...

8CVSS6.4AI score0.00341EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53933

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 23.0.3 Description Authenticated API users can exfiltrate arbitrary database contents, including password hashes and API keys, via a SQL injection. The issue occurs when malicious values are supplied to the sqlfilter...

7.6CVSS6.1AI score0.00221EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53865

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows Stored XSS. This issue affects SYSGUARD 6001: from 2.0.2 before 6.1.4.0. NOTE: The vendor was contacted and it...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.13 views

PT-2026-54002

Name of the Vulnerable Software and Affected Versions UTT nv518G nv518GV3 version 3.2.7-210919-161313 Description A buffer overflow occurs in the gohead/sub 416f28 component, which allows a remote attacker to trigger a denial of service. A buffer overflow is a condition where a program writes mor...

7.5CVSS6.2AI score0.00452EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53885

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session...

4.8CVSS5.7AI score0.00145EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53952

Name of the Vulnerable Software and Affected Versions IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 Description An information disclosure issue exists that could allow unauthorized access to sensitive data. Recommendations At the moment, there is no information about a newe...

7.5CVSS5.9AI score0.00241EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-55069

Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affecte...

9.6CVSS5.8AI score0.00244EPSS
Exploits0References3
Total number of security vulnerabilities184491