Lucene search
K
PtsecurityRecent

184315 matches found

Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56914

A server-side request forgery SSRF vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal services. The security risk posed by this issue is minimize...

7CVSS6AI score0.00487EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56776

GNU patch is vulnerable to a denial of service DoS due to improper validation of hunk single block of changes in diff line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop...

4.6CVSS5.9AI score0.00125EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56915

Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service DoS condition by sending specially crafted network traffic to or through a dataplane interface. Repeated attempts to trigger this...

8.7CVSS5.9AI score0.00534EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56913

An XML injection vulnerability in the Large Scale VPN LSVPN functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data...

7.8CVSS6AI score0.00498EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56871

Name of the Vulnerable Software and Affected Versions Python affected versions not specified Description The incremental HTML parser html.parser.HTMLParser is susceptible to a CPU denial-of-service. This occurs when the parser processes uncontrolled data containing repeated unterminated markup...

8.7CVSS6.1AI score0.00531EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56911

A file deletion vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory. The security risk posed by this issue is minimized by restricting access to the management web...

6.9CVSS6AI score0.00357EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-56919

An improper certificate validation vulnerability in the Prisma® Access Agent for iOS enables an attacker to perform a man-in-the-middle MitM attack to intercept VPN traffic. The Prisma Access Agent on Windows, macOS, Linux, Android and ChromeOS are not affected...

8.7CVSS6AI score0.00125EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56918

A privilege escalation vulnerability in Palo Alto Networks Cortex® XDR Broker VM enables a locally authenticated user to perform actions as the root user...

4.8CVSS6AI score0.00137EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56775

GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk single block of changes in diff data structures, causing the application to pass a NULL pointer...

4.6CVSS5.9AI score0.00125EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56783

A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit...

7.1CVSS6.2AI score0.00247EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56827

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS6.1AI score0.00246EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56731

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

6AI score0.00269EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56766

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS. This issue affects BiEticaret: before v3.3.57...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56734

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle export table function being registered on the WordPress 'init' hook, which fires for all requests, includin...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-57034

Summary YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip tags only. Because strip tags does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the...

6.1CVSS6AI score0.00039EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-57022

Impact What kind of vulnerability is it? Who is impacted? A verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or...

5.9CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56970

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...

6.1AI score0.00166EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56968

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

6.1AI score0.0017EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56969

decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function index.js line 29 and the extraction path validation index.js line 106 use String.indexOf to verify the resolved path is within the output...

6AI score0.0026EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56983

A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service DoS. When the reachability of an sFlow collector changes, the corresponding next-hop entry is...

6CVSS6AI score0.0019EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-57014

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0725 Description A flaw exists in the single-byte branch of the spell soundfold sal function within src/spell.c. When translating a word using a spell file's SAL sound-folding rules into a caller-owned result buffer,...

5.6CVSS6.1AI score0.00131EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-57013

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0736 Description The PHP omni-completion script in runtime/autoload/phpcomplete.vim fails to escape class or trait names taken from the edited buffer before interpolating them into a search pattern executed via win...

8.4CVSS6.4AI score0.00479EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-57015

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0735 Description The C omni-completion script in runtime/autoload/ccomplete.vim fails to escape the typeref: or typename: extension fields of a tags entry when interpolating them into a :vimgrep pattern executed via...

8.4CVSS6.5AI score0.00133EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56883

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowin...

4.3CVSS6AI score0.00268EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-56880

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get all models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key builder, causing permission-filtered per-user model lists to share a...

3.5CVSS6AI score0.00258EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56873

An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line...

6.5CVSS6AI score0.00177EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56908

Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be...

7.5CVSS5.9AI score0.00199EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago10 views

PT-2026-56828

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS5.9AI score0.00244EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56728

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the...

8.3CVSS6AI score0.00121EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56771

The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for...

7.1CVSS6.7AI score0.00691EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56761

Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way...

7.5CVSS5.9AI score0.00407EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56924

A NULL Pointer Dereference vulnerability in the management daemon mgd of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service DoS. A local high-privileged user configuri...

6.7CVSS6.1AI score0.00166EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-56842

Summary Note Mark validates book and note slug values with the OpenAPI/huma tag pattern:"a-z0-9-+". huma compiles this with regexp.MustCompiles.Pattern and tests it with patternRe.MatchStringstr, an UNANCHORED match. Because the pattern is not anchored ^...$, any string that merely CONTAINS one...

8.6CVSS6.5AI score0.00059EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-57027

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.6 Description An issue exists in the erasespamedcomments wiki action, located in actions/EraseSpamedCommentsAction.php, which allows unauthenticated users to permanently delete arbitrary wiki pages. The action...

9.1CVSS6.2AI score0.00052EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-56922

A Roundcube zero-click XSS, CVE-2026-54433, lets an email run script with no click. Roundcube 1.7.2 also fixes a second stored XSS. Update now. Roundcube XSS ZeroClick Webmail StoredXSS CyberSecurity Vulnerability InfoSec https://t.co/pkdbSSekhy...

5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-56710

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56733

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookero products shortcode's hide products and filter products attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in...

6.4CVSS6.1AI score0.00212EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56736

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download recent decrypted file wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56719

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, 5.113.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00241EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56696

A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh or bosh scp/bosh logs -f with default flags. Affected versions: BOSH CLI versions prior to 7.10.5...

7.8CVSS7.3AI score0.00148EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56729

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affectin...

8.1CVSS6AI score0.0021EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56716

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the Advanced...

6.4CVSS6AI score0.00206EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56708

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP/22. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98...

7.7CVSS7.1AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56717

The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS6.1AI score0.00215EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56722

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note before' and 'note after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

6.4CVSS6.1AI score0.00201EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56724

A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An authenticated user with administrative privileges can inject malicious HTML tags into N2OS configuration data through multiple inpu...

5.9CVSS6AI score0.0014EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56709

Name of the Vulnerable Software and Affected Versions UAA versions prior to v78.13.0 Cf-deployment versions prior to v56.2.0 Description A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA. This allows the attack...

9.3CVSS6.1AI score0.00132EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56704

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4...

8.8CVSS7.3AI score0.00331EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-56730

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with...

6.4CVSS6AI score0.00201EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-56735

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an...

7.2CVSS6.2AI score0.00659EPSS
Exploits0References13
Total number of security vulnerabilities184315