CVE-2026-29182

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some...

CVE-2026-29182

CVE-2026-29182 affects Parse Server prior to 8.6.4 and 9.4.1-alpha.3, where the readOnlyMasterKey is incorrectly allowed to perform mutating operations, bypassing the documented denial of writes. An attacker who knows the readOnlyMasterKey can create, modify, or delete Cloud Hooks and start Cloud...

CVE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.4 and 9.4.1-alpha.3. These vulnerabilities stemmed from the readOnlyMasterKey option bei...

EUVD-2025-15521

Malicious code in bioql PyPI...

CVE-2025-48120

Improper Control of Generation of Code 'Code Injection' vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Code Injection.This issue affects MapSVG: from n/a through = 8.6.9...

CVE-2025-48120 WordPress MapSVG Lite plugin <= 8.6.4 - Arbitrary Shortcode Execution vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in RomanCode MapSVG Lite allows Code Injection. This issue affects MapSVG Lite: from n/a through 8.6.4...

CVE-2025-48120

CVE-2025-48120 (MapSVG Lite) is an improper generation of code vulnerability in the WordPress MapSVG Lite plugin, enabling arbitrary shortcode execution (code injection). Affected: MapSVG Lite versions up to 8.6.4. Public docs indicate a vendor-provided fix was released: MapSVG Lite 8.6.9 and lat...

WordPress plugin MapSVG Lite 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code injection...

WordPress plugin Contact Manager 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability exists i...

PT-2025-4137

Name of the Vulnerable Software and Affected Versions Contact Manager plugin for WordPress versions up to, and including, 8.6.4 Description The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature. This...

Security Updates for Azure CycleCloud (September 2024)

The Azure CycleCloud product is missing security updates. It is, therefore, affected by the following vulnerability: - A remote code execution vulnerability exists due to a disclosure of the storage credentials. An authenticated, remote attacker can exploit this to bypass authentication and execu...

Geo Controller < 8.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Geo Controller plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

PT-2024-23380 · Unknown · Infinitum Form Geo Controller

Name of the Vulnerable Software and Affected Versions: INFINITUM FORM Geo Controller versions n/a through 8.6.4 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacke...

CVE-2024-30227

Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4...

WordPress Geo Controller Plugin <= 8.6.4 is vulnerable to Cross Site Scripting (XSS)

Software Geo Controller Type Plugin Vulnerable versions = 8.6.4 Fixed in 8.6.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-30451 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e663f7c5a611 Credits LVT-tholv2k Required privilege...

VMware vRealize Operations 安全漏洞

VMware vRealize Operations is an application from VMware, Inc. A unified, AI-based platform for private, hybrid and multi-cloud environments that delivers IT operations management on autopilot. A security vulnerability exists in VMware vRealize Operations version 8.6.4, which stems from an...

VMware vRealize Operations 安全漏洞

VMware vRealize Operations is an application from VMware, Inc. A unified, AI-based platform for private, hybrid, and multi-cloud environments that delivers IT operations management on autopilot. A security vulnerability exists in VMware vRealize Operations version 8.6.4, which can be exploited by...

Security Bulletin: IBM Forms Experience Builder could be susceptible to a server-side request forgery (CVE-2016-6001)

Summary IBM Forms Experience Builder could be susceptible to a server-side request forgery SSRF allowing for some information disclosure of internal resources. Vulnerability Details CVEID: CVE-2016-6001 DESCRIPTION: IBM Forms Experience Builder could be susceptible to a server-side request forger...