CVE-2026-41728 Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

Spring Data REST's JSON Patch application/json-patch+json implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0...

CVE-2026-41728

Spring Data REST is affected by CVE-2026-41728 due to its JSON Patch (application/json-patch+json) handling not applying the write-access filter to intermediate path segments when resolving multi-segment JSON Pointers. Affected versions include Spring Data REST 3.7.0–3.7.19; 4.3.0–4.3.16; 4.4.0–4...

EUVD-2026-33723

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

Astra Linux - уязвимость в jackson-databind

In Jackson-Databind versions prior to 2.13.0, there was a possibility of a Java StackOverflow exception and a denial of service issue due to the large depth of nested objects...

PT-2026-41772

Name of the Vulnerable Software and Affected Versions parse-nested-form-data versions prior to 1.0.1 Description The parseFormData function processes bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. An attacker can use a FormData field na...

Uncontrolled Recursion

Axios is vulnerable to uncontrolled recursion. The vulnerability is due to the toFormData function recursively processing deeply nested objects without a depth limit, which allows an attacker to supply specially crafted input that triggers a stack overflow and crashes the Node.js process...

CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

Summary An improper mass assignment JSON injection vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata,...

GHSA-48M6-CH88-55MJ Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

Summary An improper mass assignment JSON injection vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata,...

CVE-2026-32933

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service DoS attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an...

BIT-PARSE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused b...

CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...

CVE-2026-30938

Parse Server is affected by GHSA-Q342-9W2P-57FP, a vulnerability in the denylist keyword scan. The issue arises in the requestKeywordDenylist scanner: if a nested object/array appears before a prohibited keyword, the scanner exits prematurely, allowing bypass of the denylist. All deployments are ...

CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...

Improper Check for Unusual or Exceptional Conditions

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the Utils class. An attacker can bypass configured keyword...

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

GHSA-3J22-8QJ3-26MX Seroval affected by Denial of Service via Deeply Nested Objects

Serialization of objects with extreme depth can exceed the maximum call stack limit. Mitigation: Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached...

Seroval affected by Denial of Service via Deeply Nested Objects

Serialization of objects with extreme depth can exceed the maximum call stack limit. Mitigation: Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached...

CVE-2026-24006

CVE-2026-24006 affects Seroval and describes a Denial of Service risk from serializing deeply nested JS objects. Versions ≤ 1.4.0 permit object depth that can exhaust the call stack; version 1.4.1 adds a depthLimit parameter to serialization/deserialization and will throw an error when the limit ...

CVE-2026-24006 Seroval affected by Denial of Service via Deeply Nested Objects

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...