155 matches found
Mongo-Express - Remote Code Execution
Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...
Apache Solr <= 7.1 - XML Entity Injection
Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external...
CVE-2026-31225
The vulnerability CVE-2026-31225 affects the superduper project up to v0.10.0. The issue is in the query parsing component: the function named in the code (_parse_op_part()/parse_op_part()) uses eval() on user-supplied operands with only a restricted global namespace, but does not block dangerous...
superduper 安全漏洞
Superduper is an open-source database integration AI proxy and application building tool developed by superduper.io. Versions of Superduper prior to v0.10.0 contained security vulnerabilities. These vulnerabilities stemmed from the Parseoppart function in the query parsing component, which used t...
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
EUVD-2025-209730
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
GHSA-587P-W43Q-4HJX query-parser-string is vulnerable to Prototype Pollution
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
NPM: query-parser-string is vulnerable to Prototype Pollution
NPM: query-parser-string is vulnerable to Prototype Pollution vulnerability discovered by ? in WordPress Npm query-string-parser versions 1.0.0...
query-parser-string is vulnerable to Prototype Pollution
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
CVE-2025-63704
CVE-2025-63704 affects the NPM package [email protected] and is caused by improper sanitization of user-supplied query parameters, leading to prototype pollution (merging inputs into a newly created object). The CVSS v3.1 base score reported is 9.8 (CRITICAL) with network attack vector, n...
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
CVE-2025-63704
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...
PT-2026-38453
Name of the Vulnerable Software and Affected Versions query-parser-string version 1.0.0 Description The software is subject to Prototype Pollution, a condition where an attacker can manipulate the prototype of an object to alter the behavior of the application. This occurs because the package fai...
Astra Linux - уязвимость в ruby-rack
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforced its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...
Astra Linux - уязвимость в ruby-rack
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with...
CVE-2026-34400
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...
📄 OpenStack Remote Code Execution
A remote code execution vulnerability exists in the query parser of OpenStack Vitrage prior to versions 12.0.1, 13.0.0, 14.0.0, and 15.0.0.The issue resides in the createqueryfunction method...
Linux Distros Unpatched Vulnerability : CVE-2026-28370
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the...