Lucene search
K

47 matches found

OSV
OSV
added 2026/03/24 6:11 p.m.15 views

CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

7CVSS5.8AI score0.00455EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:11 p.m.3 views

CVE-2026-33409

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

7CVSS5.7AI score0.00455EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/20 11:37 a.m.5 views

BIT-PARSE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class...

8.2CVSS5.8AI score0.00421EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/19 9:32 p.m.9 views

Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

9.1CVSS5.7AI score0.00455EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2026/03/18 10:16 p.m.11 views

CVE-2026-33042

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS0.00294EPSS
Exploits0References3
NVD
NVD
added 2026/03/18 10:16 p.m.5 views

CVE-2026-33163

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

8.2CVSS0.00421EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/18 9:58 p.m.19 views

CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

8.2CVSS0.00421EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/18 9:58 p.m.5 views

CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

8.2CVSS5.8AI score0.00421EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/18 9:54 p.m.2 views

CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/18 9:54 p.m.2 views

CVE-2026-33042

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/18 7:49 p.m.5 views

GHSA-5HMJ-JCGP-6HFF Parse Server leaks protected fields via LiveQuery afterEvent trigger

Impact When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions protectedFields are included in LiveQuery event payloads for all...

8.2CVSS5.8AI score0.00421EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/17 7:50 p.m.8 views

Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/17 7:50 p.m.5 views

GHSA-WJQW-R9X4-J59V Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.10 views

PT-2026-25999

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/11 12:23 a.m.5 views

LDAP Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the authData.id parameter during the construction of LDAP Distinguished Names and...

8.8CVSS5.8AI score0.00423EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/10 10:20 a.m.7 views

Security Bulletin: IBM MQ is affected by an authority vulnerablility (CVE-2026-1713)

Summary IBM MQ has addressed an authority vulnerablility Vulnerability Details CVEID:CVE-2026-1713 DESCRIPTION: IBM MQ is affected by an authority vulnerability allowing users access to SYSTEM.AUTH.DATA.QUEUE. CWE:CWE-305: Authentication Bypass by Primary Weakness CVSS Source: IBM CVSS Base score...

5.5CVSS5.8AI score0.00114EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2025/12/16 10:35 p.m.3 views

Server-side Request Forgery (SSRF)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the apiURL parameter in authData used by the Instagram OAuth adapter. An attacker can...

8.3CVSS7AI score0.00291EPSS
Exploits0References2
NVD
NVD
added 2025/12/16 7:16 p.m.20 views

CVE-2025-68150

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

8.3CVSS0.00291EPSS
Exploits0References3
NCSC
NCSC
added 2025/03/14 9:14 a.m.8 views

Vulnerabilities fixed in GitLab

GitLab has fixed vulnerabilities in GitLab EE/CE versions from 11.5 to 17.9.2. The vulnerabilities include an issue where users with custom permissions can approve more membership requests than they are entitled to, which can lead to unauthorized access to restricted areas within the platform. In...

9.8CVSS9.8AI score0.63792EPSS
Exploits6References1
Hacker One
Hacker One
added 2025/03/09 10:45 p.m.7 views

U.S. Dept Of Defense: Information Disclosure in API Endpoint /users

An endpoint /users was exposing sensitive user information, including id, first name, last name, email, role, and authdata, to unauthenticated users. This allowed anyone to retrieve private user details without authentication...

7AI score
Exploits0
Rows per page
Query Builder