238 matches found
CVE-2026-3021
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL...
CVE-2026-3023
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3022 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose o...
CVE-2026-3022 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose o...
CVE-2026-3021 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL...
CVE-2026-3021
CVE-2026-3021 is a NoSQLi in the Wakyma web application, specifically at the endpoint vets.wakyma.com/centro/equipo/empleado. An authenticated user can alter a GET request to inject NoSQL commands, enabling enumeration of sensitive employee data. The entry is scored with a BASE CVSS v4.0 score of...
PT-2026-25672
Name of the Vulnerable Software and Affected Versions Wakyma affected versions not specified Description A non-relational SQL injection NoSQLi issue exists in the Wakyma web application. An authenticated user can modify a POST request sent to the ''vets.wakyma.com/pets/print-tags'' endpoint to...
PT-2026-25671
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose o...
EUVD-2026-10551
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...
GHSA-VGJH-HMWF-C588 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Impact A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password...
NoSQL Injection
Overview @feathersjs/mongodb is a Feathers MongoDB service adapter Affected versions of this package are vulnerable to NoSQL Injection via the id parameter in WebSocket requests, passed through getObjectId, which fails to perform type checking. An attacker can inject database queries by sending...
GHSA-P9XR-7P9P-GPQX Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...
CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...
CVE-2026-30941
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
CVE-2026-30941
Parse Server exposes a NoSQL injection in token handling for password reset and email verification endpoints on deployments using MongoDB. Prior to versions 8.6.14 and 9.5.2-alpha.1, the token field is passed to database queries without type validation, enabling unauthenticated attackers to injec...
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...