CVE-2026-34363

The CVE entry maps to a Parse Server LiveQuery vulnerability (prote cted fields/afterEvent triggers) where multiple subscribers sharing a class could see leaked or incomplete data due to in-place edits of shared mutable objects by the sensitive data filter. The root cause is shared mutable state ...

CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

CVE-2026-34224

CVE-2026-34224 affects Parse Server (Node.js backend). A flaw in the authData login flow lets an attacker with a valid provider token and a single MFA recovery code or SMS OTP create multiple authenticated sessions by issuing concurrent login requests, defeating the single-use MFA guarantee and p...

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

[SECURITY] Fedora 42 Update: stgit-2.5.5-5.fc42

Stacked Git, StGit for short, is an application for managing Git commits as a stack of patches. With a patch stack workflow, multiple patches can be developed concurrently a nd efficiently, with each patch focused on a single concern, resulting in both a clean Git commit history and improved...

[SECURITY] Fedora 43 Update: stgit-2.5.5-5.fc43

Stacked Git, StGit for short, is an application for managing Git commits as a stack of patches. With a patch stack workflow, multiple patches can be developed concurrently a nd efficiently, with each patch focused on a single concern, resulting in both a clean Git commit history and improved...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.64 and 9.7.0-alpha.8. These vulnerabilities allowed attackers to send concurrent login...

EUVD-2026-16734

AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance...

AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

Summary The transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attack...

Race Condition

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Race Condition through the transferBalance process in plugin/YPTWallet/YPTWallet.php. An attacker can create a wallet balance from nothing by sending concurrent...

GHSA-M983-V2FF-WQ65 LiveQuery protected field leak via shared mutable state across concurrent subscribers

Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...

Race Condition

Overview github.com/0xJacky/Nginx-UI/settings is a yet another Nginx Web UI Affected versions of this package are vulnerable to Race Condition through the settings update pipeline in api/settings/settings.go and settings/settings.go. An attacker can corrupt app.ini and disrupt service availabilit...

PT-2026-29084

Name of the Vulnerable Software and Affected Versions awesome-llm-apps versions prior to commit e46690f99c3f08be80a9877fab52acacf7ab8251 Description A cross-session information disclosure issue exists in the awesome-llm-apps project. The Streamlit-based GitHub MCP Agent stores user-supplied API...

nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse

The nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file app.ini. This vulnerability results in a persistent Denial of...

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

GHSA-W73W-G5XW-RWHF Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

PT-2026-28613

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8 Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA...

CVE-2026-34368

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...