RHEL 10 : postgresql16 (RHSA-2026:4441)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4441 advisory. PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that...

RHEL 8 : postgresql:12 (RHSA-2026:4505)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4505 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

RHEL 9 : postgresql:16 (RHSA-2026:4544)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4544 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL oidvector discloses a fe...

RHEL 9 : postgresql:15 (RHSA-2026:4546)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4546 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL oidvector discloses a fe...

RHEL 9 : postgresql (RHSA-2026:4475)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4475 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

RHEL 8 : postgresql:13 (RHSA-2026:4504)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4504 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

RHEL 8 : postgresql:12 (RHSA-2026:4506)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4506 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

RHEL 8 : postgresql:12 (RHSA-2026:4509)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4509 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

RHEL 8 : postgresql:13 (RHSA-2026:4516)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4516 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL missing validation of...

MiracleLinux 9 : postgresql-13.23-2.el9_7 (AXSA:2026-299:02)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-299:02 advisory. postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code CVE-2026-2006 postgresql: PostgreSQL intarray missing...

RHEL 8 : postgresql:15 (RHSA-2026:4515)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4515 advisory. PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL oidvector discloses a fe...

SQL Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection via the query field name when using PostgreSQL. An attacker can execute arbitrary SQL commands by injecting...

CVE-2026-32234

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-32234

Parse Server vulnerability CVE-2026-32234 affects deployments using PostgreSQL. A crafted field name in a $regex query constraint can be interpolated into SQL when an attacker has master-key access, bypassing the Parse Server layer and enabling database-level SQL injection. Affected versions are ...

CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-32234

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-31872

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation...

CVE-2026-31871

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g.,...