CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

CVE-2026-29793

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

@vevedh/bke-dsi-cacem (>=2.0.4 <=4.0.1), bke-dsi-cacem (>=0.0.1 <=2.0.4) potentially affected by CVE-2026-29793 via @feathersjs/mongodb (>=5.0.11 <=5.0.12)

@feathersjs/mongodb NPM version =5.0.11, =2.0.4, =0.0.1, =2.0.4 Source cves: CVE-2026-29793 Source advisory: SNYK:JS-FEATHERSJSMONGODB-15456216...

@vevedh/bke-dsi-cacem (>=2.0.4 <=4.0.1), bke-dsi-cacem (>=0.0.1 <=2.0.4) potentially affected by CVE-2026-29793 via @feathersjs/mongodb (>=5.0.11 <=5.0.12)

@feathersjs/mongodb NPM version =5.0.11, =2.0.4, =0.0.1, =2.0.4 Source cves: CVE-2026-29793 Source advisory: OSV:GHSA-P9XR-7P9P-GPQX...

EUVD-2026-10827

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

EUVD-2026-10826

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

@vevedh/bke-dsi-cacem (>=2.0.4 <=4.0.1), bke-dsi-cacem (>=0.0.1 <=2.0.4) potentially affected by CVE-2026-29792 via @feathersjs/authentication-oauth (>=5.0.11 <=5.0.12)

@feathersjs/authentication-oauth NPM version =5.0.11, =2.0.4, =0.0.1, =2.0.4 Source cves: CVE-2026-29792 Source advisory: OSV:GHSA-WG9X-QFGW-PXHJ...

@vevedh/bke-dsi-cacem (>=2.0.4 <=4.0.1), bke-dsi-cacem (>=0.0.1 <=2.0.4) potentially affected by CVE-2026-29792 via @feathersjs/authentication-oauth (>=5.0.11 <=5.0.12)

@feathersjs/authentication-oauth NPM version =5.0.11, =2.0.4, =0.0.1, =2.0.4 Source cves: CVE-2026-29792 Source advisory: SNYK:JS-FEATHERSJSAUTHENTICATIONOAUTH-15470092...

EUVD-2026-10824

Feathers has an OAuth Callback Account Takeover issue...

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

CVE-2026-29793

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29793

Feathersjs vulnerability CVE-2026-29793 affects Feathersjs 5.0.0–5.0.41 with Socket.IO client-supplied ids not type-checked, which may pass as MongoDB operators (e.g., {$ne: null}) into queries via the MongoDB adapter. This can cause unintended document matches and impacts on confidentiality, int...

CVE-2026-29793

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

PT-2026-24420

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

PT-2026-24421

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.0 through 5.0.41 Description Feathersjs is a framework used for building web APIs and real-time applications. Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch,...

CVE-2026-27192

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...