CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...

CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...

PT-2026-25374

Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...

CVE-2026-4045

CVE-2026-4045 affects projectsend up to r1945, specifically an issue in includes/Classes/Auth.php where manipulating the ldap_email argument can cause observable response discrepancy. attack can be executed remotely with high complexity and is reported as a low-severity (CVSS ~3.7) issue, with ex...

BIT-PARSE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in th...

CLSA-2026-1773323311 python3.11: Fix of CVE-2025-6075

CVE-2025-6075: fix quadratic complexity in os.path.expandvars...

PT-2026-25004

Name of the Vulnerable Software and Affected Versions projectsend versions prior to r1946 Description A flaw exists in projectsend up to revision r1945. This impacts an unknown function within the includes/Classes/Auth.php file. Manipulating the ldap email argument can cause an observable...

CVE-2025-15603

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

EUVD-2025-208555

Exposure of resource to wrong sphere in the UEFI PdaSmm module for some IntelR reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local...

Allocation of Resources Without Limits or Throttling

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through unbounded query complexity in the REST and GraphQL APIs. An...

GHSA-CMJ3-WX7H-FFVG Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Impact An unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. Patches The vulnerabili...

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Impact An unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. Patches The vulnerabili...

CVE-2025-22850

Time-of-check time-of-use race condition in the UEFI PdaSmm module for some IntelR reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local...

CVE-2025-22444

CVE-2025-22444 affects the UEFI PdaSmm module on certain Intel reference platforms. The flaw is described as Exposure of resource to wrong sphere, enabling information disclosure. A system software adversary with privileged user access and a high-complexity, local attack could potentially cause d...

CVE-2025-22444

Exposure of resource to wrong sphere in the UEFI PdaSmm module for some IntelR reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local...

CVE-2025-20073

Improper buffer restrictions in the UEFI DXE module for some IntelR Reference Platforms within UEFI may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local...

CVE-2025-20064

CVE-2025-20064 describes improper input validation in the UEFI FlashUcAcmSmm module for Intel reference platforms, enabling local privilege escalation and potential local code execution. The vulnerability requires a privileged system software adversary, with no user interaction, and is characteri...

CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...

CVE-2025-70030

An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity 4.19 was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4...

CVE-2026-3787

A weakness has been identified in UltraVNC 1.6.4.0 on Windows. This affects an unknown function in the library cryptbase.dll of the component Windows Service. This manipulation causes uncontrolled search path. The attack requires local access. A high degree of complexity is needed for the attack...