CVE-2026-31875

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...

UBUNTU-CVE-2026-23364

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp with the correct function, cryptomemneq...

EUVD-2026-14986

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this...

Parse Server exposes auth data via /users/me endpoint

Impact An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data,...

EUVD-2026-14980

Parse Server exposes auth data via /users/me endpoint...

GHSA-37MJ-C2WF-CX96 Parse Server exposes auth data via /users/me endpoint

Impact An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data,...

Missing Authentication for Critical Function

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /users/me endpoint. An authenticated user can access sensitive...

CVE-2026-21783 HCL Traveler is affected by sensitive information disclosure

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this...

CVE-2026-21783

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this...

FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel

Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...

CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

PT-2026-27486

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.61 Parse Server versions prior to 9.6.0-alpha.55 Description Parse Server is an open source backend deployable on Node.js infrastructures. An authenticated user calling the GET /users/me API endpoint receives...

PT-2026-27497

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.60 and 9.6.0-alpha.54. These vulnerabilities stemmed from the ability for MFA recovery...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-codes-api (>=1.1.0 <=1.2.0) +10609 more potentially affected by CVE-2026-22737 via org.springframework:spring-webmvc (>=5.3.0 <=5.3.39)

org.springframework:spring-webmvc MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.2, =j11.2.6.0, =j11.2.6.0, =j11.2.6.0, =j11.2.6.2 and more Source cves: CVE-2026-22737 Source advisory: OSV:GHSA-4773-3JFM-QMX3...

PT-2026-26763

Name of the Vulnerable Software and Affected Versions Vikunja affected versions not specified Description A flaw exists where a Time-based One-Time Password TOTP used for successful 2FA authentication can be reused within its 30-second validity window, allowing subsequent authentication attempts...

OPEXUS eComplaint和OPEXUS eCASE 安全漏洞

OPEXUS eComplaint and OPEXUS eCASE are products of the American company OPEXUS. OPEXUS eComplaint is a complaint and appeal management platform. OPEXUS eCASE is an case management system. There were security vulnerabilities in versions of OPEXUS eComplaint and OPEXUS eCASE before 10.1.0.0. These...

GHSA-63F5-HHC7-CX6P OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval

Summary openclaw versions = 2026.3.12 allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.3.12 - Fixed version: 2026.3.13 Details The...

New Phishing Scam Uses LiveChat to Pose as Amazon and PayPal in Real Time

Cofense researchers warn of a phishing scam where attackers use LiveChat to impersonate Amazon and PayPal agents and steal credit card and MFA codes...