184377 matches found
PT-2026-52914
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description The Storages module writes the OneDrive/SharePoint userless OAuth access token in plaintext to the Rails.cache using the deterministic key storage..httpx...
PT-2026-52935
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the mailbox-test component where channels are not freed during a probe error. This failure to release resources leads to a memory leak and creates Use-After-Free UAF...
PT-2026-52681
Name of the Vulnerable Software and Affected Versions Bytes::Random::Secure versions prior to 0.30 Description Internal state for the Pseudo-Random Number Generator PRNG is shared across forked processes when an object is initialized before forking or when the functional interface is used. This...
PT-2026-53020
Name of the Vulnerable Software and Affected Versions python-engineio versions prior to 4.13.2 Description Two specific configurations of the server fail to verify the size of incoming messages before loading them into memory, which can lead to excessive memory allocations. This occurs during POS...
PT-2026-52897
Name of the Vulnerable Software and Affected Versions Patool versions prior to 4.0.5 Description A path traversal issue exists in the safe extract function within patoolib/programs/py tarfile.py when used with Python versions before 3.12. The is within directory helper function utilizes...
PT-2026-52975
Name of the Vulnerable Software and Affected Versions Bento4 versions prior to 1.8.9 Description A stack overflow occurs in the AP4 StsdAtom::AP4 StsdAtom component, which can be triggered by a specially crafted MP4 file, leading to a Denial of Service DoS. Recommendations Update to version 1.8.9...
PT-2026-53023
Summary The administrative proxy route cmsproxy in Aimeos Pagible CMS is vulnerable to a Server-Side Request Forgery SSRF attack via DNS Rebinding. A Time-of-Check to Time-of-Use TOCTOU race condition exists between the URL validation phase and the actual HTTP request phase, allowing attackers to...
PT-2026-52698
Name of the Vulnerable Software and Affected Versions Apache Kerby versions prior to 2.1.2 Description An issue exists where the Kerberos pre-authentication check can be bypassed by sending a PA-DATA containing an unrecognized or unsupported type. Recommendations Upgrade to version 2.1.2...
PT-2026-52711
Name of the Vulnerable Software and Affected Versions Live Copy Paste for Elementor versions prior to 1.5.4 Description Broken access control allows users with the Contributor role to perform unauthorized actions. Recommendations Update Live Copy Paste for Elementor to version 1.5.4 or later...
PT-2026-52736
Unauthenticated Sensitive Data Exposure in Trinity Backup Backup, Migrate, Restore, Clone & Schedule Backups = 2.0.9 versions...
PT-2026-52758
Unauthenticated Cross Site Scripting XSS in Blog2Social = 8.9.2 versions...
PT-2026-52753
Contributor Privilege Escalation in Frisbii Pay = 1.8.2 versions...
PT-2026-53017
Name of the Vulnerable Software and Affected Versions turso-cli affected versions not specified Description the turso-cli tool stores the user's platform JSON Web Token JWT in a settings.json file using default file permissions of 0o644. This configuration makes the credential file world-readable...
PT-2026-52807
Contributor SQL Injection in wpForo Forum = 3.0.9 versions...
PT-2026-52815
newsletters subscribers Broken Access Control in Newsletters = 4.13 versions...
PT-2026-55848
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=527766102 Crash type: Heap-use-after-free READ 1 Crash state: Ogre::VertexData::convertPackedColour Ogre::MeshSerializerImpl::readGeometry Ogre::MeshSerializerImpl::readMesh...
PT-2026-52826
Author Cross Site Scripting XSS in Hester Core = 1.1.8 versions...
PT-2026-52740
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce = 10.4.0 versions...
PT-2026-52970
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a...
PT-2026-52730
Unauthenticated SQL Injection in GeoDirectory = 2.8.162 versions...
PT-2026-52693
Johnson & Johnson Audit Tracking Management System ATMS before 2026-04-21 allows viewing of meeting minutes and transcripts...
PT-2026-53006
The fluent-plugin-s3 plugin specifically the in s3 input plugin supports reading and decompressing heavily compressed files such as gzip, lzma2, and lzop from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limi...
PT-2026-52848
Name of the Vulnerable Software and Affected Versions KubeVirt versions 1.8.0 and later Description A flaw exists in the network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the networkName value is written directly into the launcher...
PT-2026-52837
Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...
PT-2026-52981
Name of the Vulnerable Software and Affected Versions Koha Library Management System versions 0 through 25.11 Description A stored cross-site scripting XSS issue exists in the patron restriction type administration page. An authenticated remote attacker with administrator privileges can inject...
PT-2026-52982
Name of the Vulnerable Software and Affected Versions Koha Library Management System versions 0 through 25.11 Description A stored cross-site scripting XSS issue exists in the OPAC item detail page. An authenticated remote attacker with edit items permission can inject arbitrary web scripts throu...
PT-2026-53008
Summary Description An LDAP Injection CWE-90 vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version...
PT-2026-52786
Unauthenticated Cross Site Scripting XSS in FOX = 1.4.8 versions...
PT-2026-52714
Name of the Vulnerable Software and Affected Versions BookPro versions prior to 1.1.1 Description An unauthenticated Insecure Direct Object Reference IDOR exists, which occurs when an application provides direct access to objects based on user-supplied input without sufficient authorization check...
PT-2026-52801
Unauthenticated Insecure Direct Object References IDOR in Blocksy Companion Pro = 2.1.46 versions...
PT-2026-52709
Name of the Vulnerable Software and Affected Versions Forget About Shortcode Buttons versions prior to 2.1.4 Description Broken access control allows contributors to perform unauthorized actions within the software. Recommendations Update to a version newer than 2.1.3...
PT-2026-52813
Contributor SQL Injection in WP Post Author = 3.9.1 versions...
PT-2026-52710
Name of the Vulnerable Software and Affected Versions Restaurant Menu by MotoPress versions prior to 2.4.12 Description Broken access control allows users with the Subscriber role to perform unauthorized actions within the plugin. Recommendations Update Restaurant Menu by MotoPress to version...
PT-2026-52953
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the padata component where the CPU offline callback was incorrectly placed in a hotplug state before CPUHP TEARDOWN CPU. Because failure is not permitted in these...
PT-2026-52943
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A soft lockup occurs when opening /dev/sgX due to improper validation of the def reserved size module parameter. While the sg proc write dressz function enforces a size limit between 0 a...
PT-2026-52850
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...
PT-2026-52725
Unauthenticated SQL Injection in JetBooking = 4.0.4.1 versions...
PT-2026-52842
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Kernel software running within a Host VM can send improper commands to the GPU Firmware. This allows the firmware to perform memory read or write operations...
PT-2026-52855
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...
PT-2026-52964
Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.1 through 1.0.0-beta.8 Description An authorization bypass exists in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets verifies the existence of request...
PT-2026-52882
Name of the Vulnerable Software and Affected Versions Envoy versions 1.26.0 through 1.35.12 Envoy versions 1.36.0 through 1.36.8 Envoy versions 1.37.0 through 1.37.4 Envoy versions 1.38.0 through 1.38.2 Description The envoy.filters.http.grpc stats filter is subject to a null pointer dereference,...
PT-2026-52782
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.45 versions...
PT-2026-52770
Unauthenticated Broken Access Control in MailChimp Block = 1.1.15 versions...
PT-2026-52735
Unauthenticated Broken Access Control in Intranet & Private Site All-In-One Intranet = 1.8.1 versions...
PT-2026-52688
A vulnerability in jupyter/nbconvert versions tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export...
PT-2026-52682
Name of the Vulnerable Software and Affected Versions Bytes::Random::Secure::Tiny versions prior to 1.012 Description Internal state for the Pseudo-Random Number Generator PRNG is shared across forked processes when an object is initialized before the fork occurs. This leads to the production of...
PT-2026-53001
Name of the Vulnerable Software and Affected Versions Fleet DM affected versions not specified Description An issue exists in the global policy read endpoint GET /api/latest/fleet/policies/policy id where authorization is performed against an empty structure with a nil TeamID. This allows the...
PT-2026-52892
Name of the Vulnerable Software and Affected Versions Devolutions Remote Desktop Manager versions 2026.2.5 through 2026.2.11 Description An issue exists in the custom PowerShell VPN editor where incorrect link resolution by display name allows an authenticated attacker with write access to a shar...
PT-2026-52680
Name of the Vulnerable Software and Affected Versions Claude Code versions 2.1.38 through 2.1.162 Description Worktree handling allows the creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink...
PT-2026-52759
Unauthenticated Cross Site Scripting XSS in Automatic 3.135.1 versions...