CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...

CVE-2026-34532

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...

EUVD-2026-17473

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...

PT-2026-29272

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.67 Parse Server versions prior to 9.7.0-alpha.11 Description Parse Server is an open source backend deployable on Node.js infrastructures. An attacker can bypass Cloud Function validator access controls by...

MikroORM has Prototype Pollution in Utils.merge

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as proto, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when...

CVE-2026-33732

The srvx vulnerability CVE-2026-33732 affects the Node.js adapter prior to version 0.11.13, where FastURL’s pathname parsing could mis-handle absolute URIs with non-standard schemes (e.g., file://). This allowed bypass of route-based middleware because FastURL would later deopt to the native URL ...

Malicious code in ftapi-core (npm)

Multiple suspicious behaviors: hex obfuscation, code execution via constructor, process access, install script, and suspicious author email. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a78a31e9e0e51a5531ac61b714695aa1af1ac1379233e78623ac3ed63285f6c The...

SUSE CVE-2026-33155

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...

CVE-2026-33155

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview ormar is an An async ORM with fastapi in mind and pydantic validation. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the model constructor when injecting the pkonly or excluded parameters when used...

CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

CVE-2026-27953

Summary: CVE-2026-27953 affects ormar (Python)

CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

EUVD-2026-13198

ormar Pydantic Validation Bypass via pkonly and excluded Kwargs Injection in Model Constructor...

GHSA-F964-WHRQ-44H8 ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor

Summary A Pydantic validation bypass in ormar's model constructor allows any unauthenticated user to skip all field validation — type checks, constraints, @fieldvalidator/@modelvalidator decorators, choices enforcement, and required-field checks — by injecting "pkonly": true into a JSON request...

DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT

Summary The pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have constructors that allocate memory proportional to their input builtins.bytes, builtins.list, builtins.range. A 40-byte...

CVE-2026-32304

A flaw was found in Locutus, a JavaScript library that provides standard library functions. The createfunction function in Locutus passes user-supplied arguments and code directly to the JavaScript Function constructor without proper sanitization. This vulnerability allows a remote attacker to...

MAL-2026-1548 Malicious code in syntax-class-constructor-call (npm)

The package 'syntax-class-constructor-call' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious code in syntax-class-constructor-call (npm)

The package 'syntax-class-constructor-call' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

CVE-2026-32304

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...