CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/03/20 9:48 p.m.•2 views

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.8AI score0.00345EPSS

OSV•added 2026/03/20 9:48 p.m.•4 views

GHSA-6QH5-M6G3-XHQ6 Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

8.2CVSS5.8AI score0.00345EPSS

Exploits0References7

Snyk•added 2026/03/20 8:44 p.m.•2 views

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker...

7.1CVSS5.8AI score0.00397EPSS

EUVD•added 2026/03/20 3:31 p.m.•6 views

EUVD-2026-13704

OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorize...

Github Security Blog•added 2026/03/20 3:31 p.m.•9 views

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that...

9.9CVSS5.7AI score0.00505EPSS

Exploits0References4Affected Software1

OSV•added 2026/03/20 3:31 p.m.•1 views

GHSA-X49Q-FHHM-R9JF Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

NVD•added 2026/03/20 3:16 p.m.•4 views

CVE-2026-22172

9.9CVSS0.00505EPSS

Cvelist•added 2026/03/20 2:48 p.m.•19 views

CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections

9.9CVSS0.00505EPSS

ATTACKERKB•added 2026/03/20 2:48 p.m.•5 views

CVE-2026-22172

Vulnrichment•added 2026/03/20 2:48 p.m.•4 views

CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections

CVE•added 2026/03/20 2:48 p.m.•50 views

CVE-2026-22172

OpenClaw is affected: versions prior to 2026.3.12 contain an authorization bypass in the WebSocket connect path. The flaw lets shared-token or password-authenticated connections self-declare elevated scopes without server-side binding, enabling unauthorized scopes such as operator.admin and poten...

Exploits0References2Affected Software1

OSV•added 2026/03/20 9:19 a.m.•3 views

BIT-PARSE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and...

7.3CVSS5.9AI score0.00342EPSS

Exploits0References4

OSV•added 2026/03/20 9:15 a.m.•1 views

BIT-JENKINS-2026-33002

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

7.5CVSS5.8AI score0.00297EPSS

Positive Technologies•added 2026/03/20 12:0 a.m.•3 views

PT-2026-26694

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

7.3CVSS5.8AI score0.00328EPSS

Exploits0References5

Positive Technologies•added 2026/03/20 12:0 a.m.•3 views

PT-2026-26791

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.56 Parse Server versions prior to 9.6.0-alpha.45 Description Parse Server’s LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.8AI score0.00345EPSS

Exploits0References9

CNNVD•added 2026/03/20 12:0 a.m.•4 views

IGL-Technologies eParking.fi 代码问题漏洞

IGL-Technologies eParking.fi is an intelligent parking platform provided by IGL-Technologies, offering features for parking management, charging, and parking space monitoring. IGL-Technologies eParking.fi has code vulnerabilities; these vulnerabilities stem from predictable WebSocket backend...

7.3CVSS5.9AI score0.0025EPSS

Snyk•added 2026/03/20 12:0 a.m.•3 views

Allocation of Resources Without Limits or Throttling

Overview feast is a Python SDK for Feast Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebSocket endpoint. An attacker can exhaust server resources, including memory, CPU, and file descriptors, by establishing a large number of...

8.7CVSS5.9AI score