Lucene search
K

1110 matches found

Snyk
Snyk
added 2026/03/17 6:37 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the POST /classes/Session endpoint. An...

5.3CVSS5.8AI score0.00306EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.7 views

Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

4.3CVSS5.9AI score0.00306EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/03/17 12:46 p.m.5 views

Exposure of Resource to Wrong Sphere

Overview Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper handling of the session token cookie path. An attacker can gain unauthorized access to user sessions by capturing valid session tokens through co-hosted applications operating under t...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/17 12:46 p.m.10 views

Exposure of Resource to Wrong Sphere

Overview apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper handling of the session token cookie path. An attacker can gain unauthorized access ...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/17 12:30 p.m.7 views

EUVD-2026-12558

Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

7.5CVSS5.8AI score0.00677EPSS
Exploits0References3
PyPA
PyPA
added 2026/03/17 11:16 a.m.17 views

PYSEC-2026-16

Apache Airflow versions 3.1.0 through 3.1.7session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

7.5CVSS5.4AI score0.00677EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/17 11:16 a.m.7 views

CVE-2026-28779

Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

7.5CVSS0.00677EPSS
Exploits0References3
CVE
CVE
added 2026/03/17 10:15 a.m.19 views

CVE-2026-28779

Apache Airflow 3.1.0–3.1.7 exposes a session-token cookie path (/), ignoring configured webserver/api base_url. This enables co-hosted applications on the same domain to capture tokens and take over sessions without exploiting Airflow itself. Public descriptions consistently recommend upgrading t...

7.5CVSS5.8AI score0.00677EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.16 views

PT-2026-25982

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/...

4.3CVSS5.9AI score0.00306EPSS
Exploits0References9
CNNVD
CNNVD
added 2026/03/17 12:0 a.m.8 views

Apache Airflow 安全漏洞

Apache Airflow is the United States Apache Apache Foundation's set of open source platform with the creation, management and monitoring of workflow functions. The platform is scalable and dynamic monitoring and other features. Apache Airflow has an information disclosure vulnerability that stems...

7.5CVSS5.8AI score0.00677EPSS
Exploits0References3
NVD
NVD
added 2026/03/12 8:16 p.m.7 views

CVE-2026-32248

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user...

9.8CVSS0.00627EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/12 7:14 p.m.25 views

CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user...

9.3CVSS0.00627EPSS
Exploits0References3
OSV
OSV
added 2026/03/12 2:48 p.m.4 views

BIT-PARSE-2026-30948 Parse Server has stored cross-site scripting (XSS) via SVG file upload

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.17, a stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type...

8.3CVSS5.7AI score0.00216EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.8 views

PT-2026-25058

Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier e.g. anonymous authentication. By sending a crafted login request, the attacker can cause the server to perform a...

9.8CVSS5.8AI score0.00627EPSS
Exploits0References14
Github Security Blog
Github Security Blog
added 2026/03/11 12:20 a.m.11 views

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Impact A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability...

9.9CVSS5.8AI score0.0036EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/11 12:20 a.m.8 views

GHSA-6R2J-CXGF-495F Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Impact A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability...

9.9CVSS5.8AI score0.0036EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/10 8:43 p.m.27 views

CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

9.9CVSS0.0036EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/10 8:43 p.m.4 views

CVE-2026-30965

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

9.9CVSS5.8AI score0.0036EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/10 8:43 p.m.6 views

CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...

9.9CVSS5.8AI score0.0036EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.7 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.5.2-alpha.8 and 8.6.21. These vulnerabilities stemmed from improper handling of the...

9.9CVSS5.8AI score0.0036EPSS
Exploits0References3
Rows per page
Query Builder