184315 matches found
PT-2026-57022
Impact What kind of vulnerability is it? Who is impacted? A verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or...
PT-2026-57034
Summary YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip tags only. Because strip tags does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the...
PT-2026-56970
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries type === 'symlink', the x.linkname field from the archive is passed directly to fs.symlink without validation index.js line 121. The preventWritingThroughSymlink check on line 98...
PT-2026-56968
decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...
PT-2026-56969
decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function index.js line 29 and the extraction path validation index.js line 106 use String.indexOf to verify the resolved path is within the output...
PT-2026-56983
A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service DoS. When the reachability of an sFlow collector changes, the corresponding next-hop entry is...
PT-2026-57014
Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0725 Description A flaw exists in the single-byte branch of the spell soundfold sal function within src/spell.c. When translating a word using a spell file's SAL sound-folding rules into a caller-owned result buffer,...
PT-2026-57013
Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0736 Description The PHP omni-completion script in runtime/autoload/phpcomplete.vim fails to escape class or trait names taken from the edited buffer before interpolating them into a search pattern executed via win...
PT-2026-57015
Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0735 Description The C omni-completion script in runtime/autoload/ccomplete.vim fails to escape the typeref: or typename: extension fields of a tags entry when interpolating them into a :vimgrep pattern executed via...
PT-2026-56883
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowin...
PT-2026-56880
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get all models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key builder, causing permission-filtered per-user model lists to share a...
PT-2026-56873
An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line...
PT-2026-56908
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be...
PT-2026-56828
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...
PT-2026-56728
When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the...
PT-2026-56771
The Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteFiles function in all versions up to, and including, 3.1.1 This makes it possible for...
PT-2026-56761
Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way...
PT-2026-56924
A NULL Pointer Dereference vulnerability in the management daemon mgd of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service DoS. A local high-privileged user configuri...
PT-2026-56960
Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...
PT-2026-56948
Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...
PT-2026-56942
Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...
PT-2026-57037
Summary Two related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate issuance time — only at poll time. 1. Blocklist not enforced at sign / re-enroll time...
PT-2026-56936
Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...
PT-2026-56937
Man, this is straight-up wild! Nearly 100 plugins and themes are completely exposed right now with zero fixes in sight, and honestly, it's making my anxiety spike just thinking about it! If the developer went ghost and abandoned ship, you've got to stop messing around and dump that software...
PT-2026-57032
Bazar form-field templates still apply |raw'html' to field.label / field.hint in attribute and label-body contexts — stored XSS in form renders sibling class of commit e6b66aa CWE: CWE-79 Improper Neutralization of Input During Web Page Generation, "Cross-site Scripting" via CWE-116 Improper...
PT-2026-57029
Summary The POST /api/forms/formId/actor/inbox route - exposed publicly with acl:"public" - accepts an HTTP Signature header whose keyId parameter is a URL. HttpSignatureService::verifySignature parses the header and immediately makes a server-side HTTP GET to that URL, before any cryptographic...
PT-2026-57036
Details Sink tools/bazar/services/CSVManager.php line 372-399: public function importEntryarray $importedEntries, string $formId: ?array if !$this-importdone // ... foreach $importedEntries as $entry $entry = unserializebase64 decode$entry; // false argument; arbitrary classes are instantiated. T...
PT-2026-57035
Summary YesWiki through the latest development branch contains a SQL injection vulnerability in ReactionManager::deleteUserReaction that allows any authenticated user to inject arbitrary SQL via the idreaction and id URL path parameters. The parameters are concatenated directly into a SQL LIKE...
PT-2026-57030
Summary YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters. For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validatio...
PT-2026-57031
Summary ApiController::deletePage interpolates a page tag retrieved from the database into a DELETE FROM … links WHERE to tag = '$tag' query without escaping. The page tag is attacker-controlled — the POST /api/pages/tag API accepts arbitrary URL-encoded values, including single quotes, and store...
PT-2026-57025
Summary YesWiki Bazar contains a stored Server-Side Template Injection SSTI vulnerability in the semantic template feature that can be escalated to confirmed Remote Code Execution RCE. An authenticated administrator can place arbitrary Twig expressions into the Semantic template Twig field bn sem...
PT-2026-57026
Summary The recentchanges action actions/recentchanges.php accepts a period argument from two disjoint parameter spaces: the URL query string $ GET'period' and the action invocation recentchanges period="...". A whitelist at line 17 validates only the URL form against 'day','week','month'. The...
PT-2026-57043
rattler cache and py-rattler were vulnerable to package-cache path traversal when handling package metadata from conda channels. During cache materialization, the ratter cache code used the package record build string as part of a cache key that was joined into a filesystem path. A malicious or...
PT-2026-57039
Impact An authorization bypass vulnerability exists in the shop account API. The PATCH /api/v2/shop/account/orders/tokenValue/payments/paymentId endpoint, used by an authenticated shop customer to change the payment method of an order that has been placed but not yet paid state STATE NEW, does no...
PT-2026-57042
Summary A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command...
PT-2026-57028
Summary HttpSignatureService::verifySignature checks the result of PHP's openssl verify with a loose boolean negation - if !openssl verify... throw ... . PHP's openssl verify has four possible return values: | return | meaning | !return | | ------ | -----------------------------------------------...
PT-2026-56797
A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control...
PT-2026-56834
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends...
PT-2026-56916
Name of the Vulnerable Software and Affected Versions UsersWP versions prior to 1.2.66 Description Authenticated attackers with Subscriber-level access and above can delete arbitrary files on the server, including the wp-config.php file. This occurs because the validate fields function in UsersWP...
PT-2026-56770
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new event type background color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it...
PT-2026-56927
An Out-of-bounds Write vulnerability in the SNMP daemon snmpd of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated network-based attacker sending specific valid SNMPv3 queries to trigger a memory leak. Over time, continuous receipt of these queries will result in snmpd proces...
PT-2026-56926
An Improper Check for Unusual or Exceptional Conditions vulnerability in the advanced forwarding toolkit evo-aftmand of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating continuous routing updates, resulting in unilist ECMP routes, to cras...
PT-2026-56928
An Unchecked Input for Loop Condition vulnerability in the Packet Forwarding Engine pfe of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service DoS.Micro-BFD session flaps generate respective up/down events which are queued by PFEMAN for...
PT-2026-56917
A local privilege escalation vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated administrator with access to the macOS local filesystem to perform actions on the device with root privileges. This issue only affects Prisma® Browser on macOS...
PT-2026-56799
A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The...
PT-2026-56791
A vulnerability has been found in GNU LibreDWG up to 0.13.4. The affected element is the function dwg bmp of the file src/dwg.c of the component BMP Image Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the...
PT-2026-56793
A vulnerability was found in GNU LibreDWG up to 0.13.4. The impacted element is the function dwg next entity of the file src/dwg.c of the component DWG File Handler. Performing a manipulation of the argument next obj results in null pointer dereference. The attack must be initiated from a local...
PT-2026-56819
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This affects an unknown part of the file /login.php. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and m...
PT-2026-56820
A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack c...
PT-2026-56812
A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely...