65 matches found
CVE-2026-61448
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
PT-2026-57441
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x through 8.6.83 Description A stored cross-site scripting XSS issue exists when the software fails to recognize an uploaded file's extension via the mime package,...
CVE-2026-48204
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
CVE-2026-48204
The CVE describes an improper input validation and access-control flaw in Apache Camel’s MongoDB GridFS component where gridfs.* headers (gridfs.operation, gridfs.objectid, etc.) bypass the HTTP header filter. With no explicit operation, an unauthenticated HTTP client can override the GridFS oper...
CVE-2026-48204
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
EUVD-2026-41839
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
CVE-2026-48204 Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
CVE-2026-48204 Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...
PT-2026-55900
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9 Description Improper input validation and improper access control in the Camel Mongodb Gridfs component allow an...
EUVD-2026-36539
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist...
BIT-PARSE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg...
CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...
CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...
CVE-2026-53724
CVE-2026-53724 – Parse Server Stored XSS (trailing-dot bypass) affects Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4. A trailing dot on a filename bypasses the default file upload extension blocklist by making the extension parser yield an empty string, allowing the attacker-controlled ...
SUSE CVE-2026-9100
The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash via a division-by-zero or silently leak process memo...
Linux Distros Unpatched Vulnerability : CVE-2026-9100
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection...
CVE-2026-9100
A flaw was found in the MongoDB C Driver's legacy GridFS API. This vulnerability allows an attacker to craft malicious documents in a GridFS collection. When an application reads these crafted files via the legacy API, it may either crash due to a division-by-zero error, leading to a Denial of...
Improper Validation of Specified Index, Position, or Offset in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input via the legacy GridFS file reader API. An attacker can cause a crash or leak process memory contents by supplying crafted documents with malformed file metadata to the...