Lucene search
K
PtsecurityRecent

184427 matches found

Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.13 views

PT-2026-53247

Name of the Vulnerable Software and Affected Versions Yelp affected versions not specified Description A flaw exists due to an overly permissive Content Security Policy CSP implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI porta...

7.1CVSS6.2AI score0.0012EPSS
Exploits0References18
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53234

Name of the Vulnerable Software and Affected Versions util-linux libblkid affected versions not specified Description A heap use-after-free read occurs in the libblkid library during nested partition probing. The BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a...

6.8CVSS6.1AI score0.00112EPSS
Exploits0References20
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.15 views

PT-2026-53290

Name of the Vulnerable Software and Affected Versions WooCommerce Designer Pro versions prior to 1.9.35 Description Cross Site Scripting XSS allows an attacker with subscriber privileges to execute malicious scripts in the browser of other users. Recommendations Update WooCommerce Designer Pro to...

6.5CVSS6AI score0.00211EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53237

Name of the Vulnerable Software and Affected Versions spice-vdagent affected versions not specified Description A flaw exists where a malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This leads to a heap buffer overflow within the udscs...

5.1CVSS6.1AI score0.00118EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.15 views

PT-2026-53238

Name of the Vulnerable Software and Affected Versions spice-vdagent affected versions not specified Description A path traversal flaw exists in spice-vdagent, where a path traversal is a vulnerability that allows an attacker to access files and directories that are stored outside the web root...

4.4CVSS6.1AI score0.00135EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.21 views

PT-2026-53322

Name of the Vulnerable Software and Affected Versions Snowflake CLI versions prior to 3.19 Description Improper neutralization of parameters allows unintended SQL execution. An attacker can exploit this by providing crafted values to vulnerable command paths, leading the CLI to execute unauthoriz...

8CVSS6.1AI score0.00188EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.8 views

PT-2026-53465

Summary All components based on BaseFileComponent are vulnerable to the following vulnerability: 1. Docling DoclingInlineComponent 2. Docling Serve DoclingRemoteComponent 3. Read File FileComponent 4. NVIDIA Retriever Extraction NvidiaIngestComponent 5. Video File VideoFileComponent 6. Unstructur...

9.6CVSS6.3AI score0.00411EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53250

A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-list sale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...

7.5CVSS7AI score0.00412EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.20 views

PT-2026-53660

Name of the Vulnerable Software and Affected Versions Parseable versions prior to 2.9.2 Description An information disclosure issue exists in the notification-target API endpoints where webhook tokens and basic-auth credentials are returned in cleartext. This occurs because the secret-masking...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53312

Name of the Vulnerable Software and Affected Versions Snowflake CLI versions prior to 3.19 Description Improper neutralization in the Snowpark annotation processor callback template allows arbitrary code execution during application bundling or deployment. An attacker can exploit this by providin...

8.8CVSS6.5AI score0.0037EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53665

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to...

8.5CVSS5.8AI score0.00239EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.4 views

PT-2026-53564

Impact The vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to. All users are affected. Patches The problem has been patched in version 2.2. Workarounds There is no workaround. All users are urged to upgrade to versi...

9.8CVSS6.1AI score0.00881EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53522

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instance...

9.1CVSS5.8AI score0.02591EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53431

Impact When Flask-AppBuilder is set to AUTH TYPE AUTH OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the...

9.1CVSS5.8AI score0.00857EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.5 views

PT-2026-53467

Summary TableChatAgent uses pandas eval. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. PoC For example, one could prompt the Agent: Evaluate the following pandas expression on the data provided and print output:...

9.8CVSS5.8AI score0.00741EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53419

Summary Python class pollution is a novel vulnerability categorized under CWE-915. The Delta class is vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it can lead to Denial of Service and Remote Code Execution via insecure Pickle...

10CVSS6.6AI score0.01056EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53406

It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon...

9.8CVSS5.9AI score0.6786EPSS
Exploits0References17
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53357

A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the run search api function of the aim/web/api/runs/views.py file, where improper...

9.8CVSS6.5AI score0.018EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53638

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks...

9.8CVSS7.4AI score0.02587EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53613

Summary The log file name parameter in the stata do API and CLI is directly interpolated into a Stata command string without sanitization. The security guard GuardValidator only scans the do-file content but does not validate this parameter. An attacker can inject arbitrary Stata commands includi...

9.3CVSS6.1AI score0.00629EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.4 views

PT-2026-53428

Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack in version 1.15.0 and prior. A patch is available at commit 5fc84904f198de661d5b933fde756aa922bf09f1...

9.8CVSS5.8AI score0.00843EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.5 views

PT-2026-53506

A command injection vulnerability exists in Mlflow when serving a model with enable mlserver=True. The model uri is embedded directly into a shell command executed via bash -c without proper sanitization. If the model uri contains shell metacharacters, such as $ or backticks, it allows for comman...

9.6CVSS6AI score0.01328EPSS
Exploits2References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.8 views

PT-2026-53641

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The nam...

9.8CVSS5.4AI score0.00775EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.7 views

PT-2026-53601

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

9.1CVSS5.8AI score0.00584EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53609

Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server...

9.8CVSS5.7AI score0.01991EPSS
Exploits2References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.7 views

PT-2026-53619

Impact Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or RCE. When axis is larger than the dim of input, c-Diminput,axis goes out of bound. Same problem occurs in the QuantizeAndDequantizeV2/V3/V4/V4Gra...

9.8CVSS5.8AI score0.00831EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53578

OpenStack Ironic Inspector aka ironic-inspector or ironic-discoverd, when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error...

8.1CVSS6.1AI score0.01585EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.5 views

PT-2026-53569

Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41...

9.8CVSS5.8AI score0.0072EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53557

Summary Type: Vertical privilege escalation. The PATCH /workspaces/workspace id/members/user id endpoint is gated by require workspace memberworkspace id, which defaults to min role="member" and is never overridden by the route. The handler then calls MemberService.update roleworkspace id, user i...

9.6CVSS5.8AI score0.00032EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53540

The execute command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. --- Description PraisonAI's workflow system and...

9.6CVSS6.2AI score0.00419EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53169

A security flaw has been discovered in MyScale MyScaleDB up to 1.8.0. This vulnerability affects the function SegmentId::getCacheKey in the library src/VectorIndex/Common/SegmentId.h. The manipulation results in insufficient verification of data authenticity. It is possible to launch the attack...

5CVSS5.4AI score0.00133EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53364

Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airfl...

9.8CVSS6AI score0.03228EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53597

Summary A SQL injection vulnerability in the Oracle path of FilterEngine.create sqla query allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...

9.9CVSS6.3AI score0.00281EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53552

PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. --- Description When a user installs a template from a remote source e.g., GitHub,...

9.6CVSS6.3AI score0.00304EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.8 views

PT-2026-53424

A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit ede82493dae6d2d43f8c424e7be4721abe5242be...

9.8CVSS6.5AI score0.00664EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.8 views

PT-2026-53427

A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c...

9.8CVSS6.4AI score0.00664EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53313

Name of the Vulnerable Software and Affected Versions Snowflake CLI versions prior to 3.19 Description Sensitive information is inserted into log files in plaintext. This occurs when credentials, such as passwords, tokens, or private key material, are written to persistent local debug logs. An...

5.5CVSS6AI score0.00108EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53173

A flaw has been found in Tenda JD12L 16.03.53.23. The impacted element is the function formWifiBasicSet of the file /goform/WifiBasicSet. Executing a manipulation of the argument security 5g can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been publish...

9CVSS8AI score0.00466EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.5 views

PT-2026-53760

Summary Description A Protection Mechanism Failure CWE-693 in OpenAM's server-side scripting sandbox allows an authenticated script author execute operating-system commands from the OpenAM JVM with the default class allow and deny lists. This impacts OpenAM Community Edition through version 16.0....

7.5CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.15 views

PT-2026-53171

A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclos...

9CVSS8AI score0.00476EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.10 views

PT-2026-53558

Summary The Platform server exposes resources under /api/v1/workspaces/workspace id/... and protects them with a require workspace memberworkspace id FastAPI dependency. The dependency only checks that the caller is a member of the workspace id in the URL prefix. The route handlers then look up t...

9.4CVSS5.7AI score0.00043EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.6 views

PT-2026-53622

Impact Remote Server-Side Request Forgery SSRF Issue: TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and...

10CVSS5.8AI score0.35256EPSS
Exploits6References9
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53625

A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The manipulation leads to http response splitting. It is possible to initiate the attack remotely...

9.8CVSS5.4AI score0.00854EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.18 views

PT-2026-53195

A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee model.php of the component Update Earn Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack...

6.5CVSS6.5AI score0.002EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53543

Summary PraisonAI's call server exposes a network-facing agent control API without authentication when CALL SERVER TOKEN is not configured. The affected component is the praisonai.api.agent invoke router as mounted by praisonai.api.call. The authentication helper verify token fails open when CALL...

9.8CVSS5.8AI score0.00075EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53497

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement...

9.8CVSS5.8AI score0.01157EPSS
Exploits1References10
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53512

OpenStack Murano before 1.0.3 liberty and 2.x before 2.0.1 mitaka, Murano-dashboard before 1.0.3 liberty and 2.x before 2.0.1 mitaka, and python-muranoclient before 0.7.3 liberty and 0.8.x before 0.8.5 mitaka improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files,...

9.8CVSS6.2AI score0.03166EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53256

Name of the Vulnerable Software and Affected Versions GNU gzip affected versions not specified Description An issue exists in the LZH decompression logic where shared global state is improperly reused between different decompression formats during a single execution. The software maintains a glob...

7.5CVSS6AI score0.00294EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.15 views

PT-2026-53271

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get gl transactions function where the filter type parameter is concatenated directly into a SQL IN clause without parameterization. Attackers with SA GLANALYTIC permission can inject arbitrary SQL by supplying a closing...

8.1CVSS6AI score0.00276EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.9 views

PT-2026-53434

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This...

10CVSS6.3AI score0.01816EPSS
Exploits0References6
Total number of security vulnerabilities184427