CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/04/27 6:30 p.m.•4 views

Malicious code in @w3m-frame/session_update (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a327a8e78038064af56af7f6b1aa21b98a0cee0ed571f5fa53d6187a2b8f9cd1 The package @w3m-frame/sessionupdate was found to contain malicious code. Source: ghsa-malware...

5.8AI score

Exploits0References1

NVD•added 2026/04/21 10:16 p.m.•1 views

CVE-2026-6829

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update,...

6.3CVSS0.00039EPSS

Exploits0References4

Snyk•added 2026/04/01 12:3 a.m.•0 views

Incorrect Comparison

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Comparison via the session update process. An attacker can extend the validity of a session indefinitely by sendin...

5.4CVSS5.9AI score0.00035EPSS

Vulnrichment•added 2026/03/24 6:22 p.m.•2 views

CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST...

5.3CVSS5.7AI score0.00014EPSS

Exploits0References5

Cvelist•added 2026/03/24 6:22 p.m.•15 views

CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields

5.3CVSS0.00014EPSS

Exploits0References5

OSV•added 2026/03/24 6:22 p.m.•1 views

CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields

EUVD•added 2026/03/24 4:34 p.m.•1 views

Exploits0References7

EUVD-2026-14974

Parse Server's Session Update endpoint allows overwriting server-generated session fields...

OSV•added 2026/03/24 4:34 p.m.•1 views

Exploits0References5

GHSA-JC39-686J-WP6Q Parse Server's Session Update endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...

Github Security Blog•added 2026/03/24 4:34 p.m.•6 views

Exploits0References7

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Exploits0References7Affected Software1

RedhatCVE•added 2026/01/14 10:15 p.m.•1 views

CVE-2026-23478

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update. This vulnerability is fixed in...

10CVSS6.8AI score0.0014EPSS

NVD•added 2026/01/13 10:16 p.m.•1 views

CVE-2026-23478

10CVSS0.0014EPSS

EUVD•added 2026/01/13 9:37 p.m.•1 views

EUVD-2026-2413

10CVSS6.3AI score0.0014EPSS

OSV•added 2026/01/13 9:37 p.m.•1 views

CVE-2026-23478 Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback

10CVSS6.7AI score0.0014EPSS

Exploits1References3

Cvelist•added 2026/01/13 9:37 p.m.•19 views

CVE-2026-23478 Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback

10CVSS0.0014EPSS

Positive Technologies•added 2026/01/13 12:0 a.m.•6 views

PT-2026-2806

Name of the Vulnerable Software and Affected Versions Cal.com versions 3.1.6 through 6.0.6 Description Cal.com, an open-source scheduling software, has a critical flaw in a custom NextAuth JWT callback. This issue allows attackers to gain full authenticated access to any user's account by supplyi...

10CVSS5.8AI score0.0014EPSS

Exploits1References15

CNNVD•added 2026/01/13 12:0 a.m.•1 views

Cal.com 安全漏洞

Cal.com is an open source scheduling software from Cal.com Open Source. A security vulnerability exists in Cal.com versions 3.1.6 through prior to 6.0.7, which stems from a flaw in the custom NextAuth JWT callback that could allow an attacker to gain full authentication access to any user account...

10CVSS6AI score0.0014EPSS

Exploits1References2

Snyk•added 2025/07/15 5:41 p.m.•1 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the session management API due to a missing permission check. An attacker can impersonate other users and access sensitive resources by updating sessions if they know the session ID. Remediation Upgrade...

8.8CVSS6.5AI score0.00322EPSS

Snyk•added 2025/07/15 5:41 p.m.•1 views

Incorrect Authorization

8.8CVSS6.7AI score0.00322EPSS