GHSA-3F24-PCVM-5JQC NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate. Problem...

PT-2026-27621

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6 Description NATS-Server, a high-performance server for NATS.io, a cloud and edge native messaging system, has an issue where, when using mTLS for client identity with...

BIT-PARSE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN and group...

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Impact The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bin...

GHSA-7M6R-FHH7-R47C Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Impact The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bin...

CVE-2026-31828

CVE-2026-31828 affects Parse Server deployments using the LDAP authentication adapter with group-based access control. User input in authData.id is interpolated directly into LDAP DNs and group search filters without escaping, enabling an attacker with valid LDAP credentials to manipulate the bin...

CVE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN an...

CVE-2026-31828 Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN an...

Fedora 42 : p11-kit (2026-7982f70f74)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-7982f70f74 advisory. Notable changes from the rebase: pkcs11: Update PKCS11 headers to version 3.2 rpc: fix NULL dereference via CDeriveKey with specific NULL parameters...

CVE-2026-25560

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication...

MiracleLinux 8 : 389-ds:1.4 bug fix and enhancement update (AXSA:2021-2281:02)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2281:02 advisory. An update for the 389-ds:1.4 module is now available. CVE-2020-35518 When binding against a DN during authentication, the reply from 389-ds-base will be...

Astra Linux – Vulnerability in the 389-DS-base

A flaw was discovered in the 389-ds-base LDAP Server. This issue occurs when performing an Modify DN LDAP operation via the ldap protocol, where the function’s return value is not checked, and a NULL pointer is dereferenced. If a privileged user performs an LDAP MODDN operation after a failed...

Identity Spoofing

org.igniterealtime.openfire, xmppserver is vulnerable to identity spoofing. The vulnerability is due to regex-based extraction of the Common Name CN from an unescaped, provider-dependent Distinguished Name DN string, which allows an attacker to impersonate other users using crafted certificate...

CVE-2025-61912

python-ldap is a lightweight directory access protocol LDAP client API for Python. In versions prior to 3.4.5, ldap.dn.escapednchars escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to...

CVE-2025-61912

CVE-2025-61912 concerns python-ldap prior to 3.4.5, where ldap.dn.escape_dn_chars() escapes the NUL byte as a backslash-NUL instead of the RFC‑4514 form \00. This can cause client-side denial of service when untrusted input is used to construct DNs, as requests may be dropped before contacting an...

EUVD-2010-0808

Malware in sbrugna...

EUVD-2011-1042

Malware in sbrugna...

EUVD-2008-0565

Malware in sbrugna...

EUVD-2017-6557

Malware in sbrugna...

EUVD-2009-2451

Malware in sbrugna...