CVE-2026-47138

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...

CVE-2026-47138 Parse Server: Pre-authentication denial of service via client version header regex backtracking

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...

CVE-2026-42348

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This coul...

SUSE CVE-2026-44740

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficien...

CVE-2026-44740

CVE-2026-44740 affects the go-billy interface filesystem abstraction. Before 5.9.0 and 6.0.0-alpha.1, multiple components may mishandle crafted input, risking panics, infinite loops, uncontrolled recursion, or excessive resource consumption due to missing validation, cycle detection, and defensiv...

go-billy security vulnerabilities

Go-Billy is an open-source file system abstraction library developed by go-git. Versions of Go-Billy prior to 5.9.0 and 6.0.0-alpha.1 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of specially crafted or malformed inputs by multiple components, which cou...

CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

UBUNTU-CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

CVE-2026-43827

CVE-2026-43827 affects Apache Shiro. In affected versions (1.0–2.1.0 and 3.0.0-alpha-1), an existing session is not invalidated nor a new session with a new ID issued after login, enabling session fixation. Upgraded fixes are available in 2.1.1 and 3.0.0-alpha-2 or later; apply the patch to mitig...

Apache Shiro 安全漏洞

Apache Shiro is a suite of Java security frameworks for performing authentication, authorization, encryption, and session management from the Apache Foundation USA. A security vulnerability exists in Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1, which stems from a session fixation...

Apache Shiro 安全漏洞

Apache Shiro is a set of Java security frameworks for performing authentication, authorization, encryption, and session management from the Apache Foundation USA. A security vulnerability exists in Apache Shiro versions 2.0-alpha through 2.2.0 and 3.0.0-alpha-1, which stems from insufficient...

PT-2026-43118

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.0 through 2.1.0 Apache Shiro version 3.0.0-alpha-1 Description Default configurations contain a session fixation issue. In the affected versions, when a session already exists, it is not invalidated upon successful logi...

NPM: Nuxt: Reflected XSS in `navigateTo()` external redirect

NPM: Nuxt: Reflected XSS in navigateTo external redirect vulnerability discovered by ? in WordPress Npm nuxt versions = 3.4.3, = 3.21.5...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-37979 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

CVE-2026-42348 OpAMP client reads unbounded HTTP response bodies

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This coul...

CVE-2026-42348 OpAMP client reads unbounded HTTP response bodies

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This coul...

CVE-2026-42348

OpenTelemetry.OpAmp.Client (OpenTelemetry .NET) is affected before version 0.2.0-alpha.1. The HTTP transport reads HttpResponseMessage.Content into memory using ReadAsByteArrayAsync without a size cap, allowing an unbounded read of the entire response body. This can cause memory exhaustion in the...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +164 more potentially affected by CVE-2026-37977 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.5.7)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.0, =1.2.0 and more Source cves: CVE-2026-37977 Source advisory: OSV:GHSA-5V8V-XVJV-57X7https://vulners.com/osv/OSV:GHSA-5V8V-XVJ...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +160 more potentially affected by CVE-2026-4282 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.5.6)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.0, =1.2.0 and more Source cves: CVE-2026-4282 Source advisory: OSV:GHSA-HJ93-H7PG-FH6Vhttps://vulners.com/osv/OSV:GHSA-HJ93-H7PG-...