CVE-2026-32881

ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...

H3 安全漏洞

H3 is an open-source HTTP framework developed by H3. Versions of H3 from 2.0.1-beta.0 to 2.0.0-rc.8 contain security vulnerabilities. These vulnerabilities stem from the use of insecure string comparisons in the requireBasicAuth function, which may lead to timing side-channel attacks...

SuiteCRM 注入漏洞

SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Versions prior to SuiteCRM 7.15.1 and 8.9.3 had an injection vulnerability. This vulnerability stemmed from improper cleanup of user input during the authentication process. As a result, unauthenticated attacker...

SUSE SLES12 Security Update : krb5-appl (SUSE-SU-2026:0930-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:0930-1 advisory. This update for krb5-appl fixes the following issue: - CVE-2026-32746: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd LINEMODE bsc1259691...

CVE-2026-32034

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or...

CVE-2026-32025

OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...

CVE-2026-32034

OpenClaw has an authentication bypass in the Control UI for versions prior to 2026.2.21 when allowInsecureAuth is enabled and the gateway is exposed over plaintext HTTP. An attacker with leaked credentials can obtain high-privilege Control UI access due to lack of secure authentication over unenc...

CVE-2026-32014

OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect...

CVE-2026-32011 OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...

Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

openSUSE 16 Security Update : krb5-appl (openSUSE-SU-2026:20374-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20374-1 advisory. Changes in krb5-appl: - CVE-2026-32746: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd LINEMODE bsc1259691 Tenable has extracted the preceding...

Security update for krb5-appl

This update for krb5-appl fixes the following issue: CVE-2026-32746: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd LINEMODE bsc1259691. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively...

CVE-2026-33042

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

CVE-2026-33163

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

CVE-2026-33042

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

GHSA-5HMJ-JCGP-6HFF Parse Server leaks protected fields via LiveQuery afterEvent trigger

Impact When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions protectedFields are included in LiveQuery event payloads for all...

Timing Attack

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Timing Attack via the requireBasicAuth function. An attacker can recover valid authentication credentials by measuring response times and deducing password...