Lucene search
+L

292 matches found

OSV
OSV
added 2026/03/24 7:12 p.m.8 views

GHSA-P2W6-RMH7-W8Q3 Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-lev...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/24 7:12 p.m.10 views

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-lev...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References7Affected Software1
EUVD
EUVD
added 2026/03/24 7:12 p.m.3 views

EUVD-2026-14976

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter...

8.6CVSS5.9AI score0.00452EPSS
Exploits0References5
CVE
CVE
added 2026/03/24 6:26 p.m.13 views

CVE-2026-33539

Parse Server SQL injection vulnerability in PostgreSQL adapter (CVE-2026-33539). An attacker with master key access can inject SQL metacharacters into field name parameters of the aggregate $group stage or the distinct operation, enabling arbitrary SQL execution on PostgreSQL and privilege escala...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 6:26 p.m.2 views

CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/24 6:26 p.m.18 views

CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

8.6CVSS0.00452EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:26 p.m.5 views

CVE-2026-33539

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/24 6:26 p.m.9 views

CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

8.6CVSS6.1AI score0.00452EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/11 6:53 p.m.0 views

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References1
OSV
OSV
added 2026/03/11 6:53 p.m.4 views

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References3
NVD
NVD
added 2026/03/11 5:16 p.m.11 views

CVE-2026-31840

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...

9.8CVSS0.00408EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/11 4:53 p.m.36 views

CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...

9.3CVSS0.00408EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/11 4:53 p.m.5 views

CVE-2026-31840

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...

9.3CVSS5.8AI score0.00408EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/03/10 6:25 p.m.3 views

SQL Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the handling of dot-notation field names with the sort, distinct, or where query parameters in PostgreSQL...

9.8CVSS6.2AI score0.00408EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.7 views

PT-2026-24635

Impact An attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with t...

9.3CVSS5.8AI score
Exploits0References5
OSV
OSV
added 2026/02/25 7:0 p.m.5 views

GHSA-JHP4-JVQ3-W5XR Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

7CVSS5.5AI score0.00337EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/25 7:0 p.m.8 views

Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions

Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...

7CVSS5.3AI score0.00337EPSS
Exploits0References5Affected Software1
Information Security Automation
Information Security Automation
added 2026/02/05 4:58 p.m.7 views

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

I releasedVulristics 1.0.11: added Server-Side Request Forgery SSRF as a distinct vulnerability type. I try to use a very small set of base vulnerability types around 20 in Vulristics and map everything else to them. With a few exceptions, these are the same types Microsoft uses - and Microsoft...

5.9AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2025/11/13 12:0 a.m.4 views

Siemens SIMATIC S7-1500 NULL Pointer Dereference (CVE-2019-19923)

flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference or incorrect results. This plugin only works with Tenable.ot. Please visit...

7.5CVSS6.8AI score0.0681EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2025/11/13 12:0 a.m.4 views

Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2019-19244)

Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, In...

7.5CVSS7.1AI score0.03333EPSS
Exploits0References5
Rows per page
Query Builder