CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the /loginAs endpoint when using the readOnlyMasterKey credential. An attacker can impersonate...

PT-2026-23753

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.6 Parse Server versions prior to 9.5.0-alpha.4 Description Parse Server is an open-source backend deployable on Node.js infrastructures. A read-only master key can be used to call the POST /loginAs API...

EUVD-2018-3565

Malware in sbrugna...

PT-2025-33719 · WordPress · Contactmanager

Name of the Vulnerable Software and Affected Versions: Contact Manager plugin for WordPress versions prior to 8.6.6 Description: The Contact Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting via the title parameter. Insufficient input sanitization and output escaping allo...

FortiWLM progressfile command injection

Added: 03/18/2024 Background Fortinet Wireless Manager FortiWLM allows you to manage wireless networks on FortiGates. Problem A command injection vulnerability allows unauthenticated attackers to execute arbitrary commands by calling the deleteprogressfile function with a specially crafted...

Norton Security for Mac improperly processes ICMP packets

Overview Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Yuki Meguro of Tohoku Information Systems Company, Incorporated reported this vulnerability to IPA. JPCERT/CC...

Drupal 8.6.x < 8.6.6 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists in third-party PEAR ArchiveTar library. - A flaw exists in PHP's built-in phar stream wrapper that could lead to a remote code execution when performing file...

Cross site request forgery (csrf)

servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the uname, upasswd1, upasswd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass...

SearchBlox 8.6.6 - Cross-Site Request Forgery

Exploit Title: CSRF Privilege Escalation Creation of an administrator account on SearchBlox 8.6.6 Exploit Author: Canberk BOLAT, Ahmet GÜREL Software Link: https://www.searchblox.com/ Version: = SearchBlox Version 8.6.6 Platform: Java Tested on: Windows CVE: CVE-2018-11538 1. DETAILS Using...

SearchBlox 8.6.6 - Cross-Site Request Forgery

SearchBlox 8.6.6 - Cross-Site Request Forgery Exploit Title: CSRF Privilege Escalation Creation of an administrator account on SearchBlox 8.6.6 Exploit Author: Canberk BOLAT, Ahmet GÜREL Software Link: https://www.searchblox.com/ Version: = SearchBlox Version 8.6.6 Platform: Java Tested on: Windo...