19 matches found
BIT-PARSE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class...
CVE-2026-32878
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...
CVE-2026-32878
Parse Server is vulnerable to prototype pollution in its deep copy path prior to versions 9.6.0-alpha.20 and 8.6.44. An attacker can bypass the default denylist and class-level field-adding permissions by crafting a request, allowing injection of fields into locked schemas and causing permanent s...
GHSA-5HMJ-JCGP-6HFF Parse Server leaks protected fields via LiveQuery afterEvent trigger
Impact When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions protectedFields are included in LiveQuery event payloads for all...
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked...
GHSA-9CCR-FPP6-78QF Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked...
BIT-PARSE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the...
CVE-2026-32098
Parse Server (Node.js) prior to versions 9.6.0-alpha.9 and 8.6.35 is vulnerable to a LiveQuery-based leakage where an attacker can infer protected field values through WHERE clauses referencing those fields (including dot-notation or $regex). The attack hinges on Common protections: Class-Level P...
CVE-2026-30965
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting...
Siemens SIMATIC S7-1500 and Ruggedcom ROX Devices Use After Free (CVE-2021-36086)
The CIL compiler in SELinux 3.2 has a use-after-free in cilresetclasspermission called from cilresetclasspermsset and cilresetclasspermslist. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...
EUVD-2021-22718
Malware in sbrugna...
SUSE CVE-2021-36085
The CIL compiler in SELinux 3.2 has a use-after-free in cilverifyclassperms called from verifymappermclassperms and hashtabmap...
OESA-2022-1753 libsepol security update
libsepol provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy the policy compiler and similar tools, as well as by programs like loadpolicy that need to perform specific transformations on binary policies such as customizing policy boolean settings. Security...
CVE-2021-36084
The CIL compiler in SELinux 3.2 has a use-after-free in cilverifyclassperms called from cilverifyclasspermission and cilpreverifyhelper...
UBUNTU-CVE-2021-36085
The CIL compiler in SELinux 3.2 has a use-after-free in cilverifyclassperms called from verifymappermclassperms and hashtabmap...
SELinux 资源管理错误漏洞
SELinux is a Linux subsystem from the National Security Agency that uses a secure architecture that allows administrators to better control who has access to the system. A security vulnerability exists in SELinux version 3.2, which stems from a use-after-free in the SELinux CIL compiler in the...
Sql injection
Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the 1 forum parameter to modules/forum/post.php and possibly 2 forumid variable to modules/forum/class/class.permissions.php...
CVE-2009-3813
Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the 1 forum parameter to modules/forum/post.php and possibly 2 forumid variable to modules/forum/class/class.permissions.php...
BloofoxCMS 0.3 - Multiple Input Validation Vulnerabilities
source: https://www.securityfocus.com/bid/27361/info bloofoxCMS is prone to a directory-traversal vulnerability, a SQL-injection vulnerability, and an authentication-bypass vulnerability. The SQL-injection vulnerability occurs because the application fails to sufficiently sanitize user-supplied...