NoSQL Injection

Overview @feathersjs/mongodb is a Feathers MongoDB service adapter Affected versions of this package are vulnerable to NoSQL Injection via the id parameter in WebSocket requests, passed through getObjectId, which fails to perform type checking. An attacker can inject database queries by sending...

EUVD-2026-10827

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

Improper Authentication

Overview @feathersjs/authentication-oauth is an oAuth 1 and 2 authentication for Feathers. Powered by Grant. Affected versions of this package are vulnerable to Improper Authentication via the callback component. An attacker can gain unauthorized access to existing user accounts by sending a...

EUVD-2026-10825

Feathers has an OAuth Callback Account Takeover issue...

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

CVE-2026-29793

Feathersjs vulnerability CVE-2026-29793 affects Feathersjs 5.0.0–5.0.41 with Socket.IO client-supplied ids not type-checked, which may pass as MongoDB operators (e.g., {$ne: null}) into queries via the MongoDB adapter. This can cause unintended document matches and impacts on confidentiality, int...

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

CVE-2026-29792

Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...

PT-2026-24420

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

Zabbix 安全漏洞

Zabbix is an open source monitoring system from Zabbix. The system supports network monitoring, server monitoring, cloud monitoring and application monitoring. A security vulnerability exists in Zabbix versions 5.0.42, 6.0.30, 6.4.15, and 7.0.0, which stems from a front-end audit log that allows...

Zabbix 安全漏洞

Zabbix is an open source monitoring system from Zabbix. The system supports network monitoring, server monitoring, cloud monitoring and application monitoring. A security vulnerability exists in Zabbix versions 5.0.42, 6.0.30, 6.4.15, and 7.0.0rc2 that originates from the ability of a...

Zabbix 安全漏洞

Zabbix is an open source monitoring system from Zabbix. The system supports network monitoring, server monitoring, cloud monitoring and application monitoring. A security vulnerability exists in Zabbix versions 5.0.42, 6.0.30, 6.4.15, and 7.0.0rc2, which stems from the presence of an arbitrary fi...

OPENSUSE-SU-2020:1509-1 Recommended update for otrs

Otrs was updated to 5.0.42, fixing lots of bugs and security issues: https://community.otrs.com/otrs-community-edition-5s-patch-level-42/ - CVE-2020-1773 boo1168029 OSA-2020-10: Session / Password / Password token leak An attacker with the ability to generate session IDs or password reset tokens,...

CVE-2020-1774

When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects OTRS Community Edition: 5.0.42 and prior versions, 6.0.27 and prio...

MySQL < 4.1.23 / 5.0.42 Access Control Vulnerability

The version of MySQL installed on the remote host is older than 4.1.23 or 5.0.42. As such, it reportedly allows a remote, authenticated user without the DROP privilege to rename arbitrary tables. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid17829; scriptversion"1.5...

PNphpBB2 <= 1.2i viewforum.php Remote SQL Injection Exploit

Exploit for unknown platform in category web applications =========================================================== PNphpBB2 You need at least 2 posts in the forum. - Thanks to waraxe for exploit structure... I have saved much time : Tested - Postnuke 0.764 with PNphpBB2 1.2i and MySQL 5.0.42...