Lucene search
+L

65 matches found

NVD
NVD
added last week7 views

CVE-2026-61448

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS0.00245EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added last week6 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score0.00245EPSS
Exploits0References2
OSV
OSV
added last week6 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score0.00245EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/11 12:0 a.m.10 views

PT-2026-57441

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x through 8.6.83 Description A stored cross-site scripting XSS issue exists when the software fails to recognize an uploaded file's extension via the mime package,...

2.1CVSS6AI score0.00245EPSS
Exploits0References8
NVD
NVD
added 2026/07/06 9:16 a.m.11 views

CVE-2026-48204

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...

9.8CVSS0.00452EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 8:6 a.m.11 views

CVE-2026-48204

The CVE describes an improper input validation and access-control flaw in Apache Camel’s MongoDB GridFS component where gridfs.* headers (gridfs.operation, gridfs.objectid, etc.) bypass the HTTP header filter. With no explicit operation, an unauthenticated HTTP client can override the GridFS oper...

9.8CVSS6AI score0.00452EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:6 a.m.6 views

CVE-2026-48204

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...

6AI score0.00452EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/06 8:6 a.m.6 views

EUVD-2026-41839

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...

9.8CVSS6AI score0.00452EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:6 a.m.40 views

CVE-2026-48204 Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...

0.00452EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 8:6 a.m.4 views

CVE-2026-48204 Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the...

9.8CVSS6.1AI score0.00452EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.14 views

PT-2026-55900

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9 Description Improper input validation and improper access control in the Camel Mongodb Gridfs component allow an...

9.8CVSS6AI score0.00452EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/19 7:35 p.m.12 views

EUVD-2026-36539

parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist...

2.1CVSS5.8AI score0.00281EPSS
Exploits0References4
OSV
OSV
added 2026/06/16 12:40 p.m.6 views

BIT-PARSE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg...

2.1CVSS5.1AI score0.00281EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/12 6:34 p.m.34 views

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS0.00281EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 6:34 p.m.13 views

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS5.1AI score0.00281EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 6:34 p.m.38 views

CVE-2026-53724

CVE-2026-53724 – Parse Server Stored XSS (trailing-dot bypass) affects Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4. A trailing dot on a filename bypasses the default file upload extension blocklist by making the extension parser yield an empty string, allowing the attacker-controlled ...

2.1CVSS5.2AI score0.00281EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/22 2:21 a.m.11 views

SUSE CVE-2026-9100

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash via a division-by-zero or silently leak process memo...

6CVSS5.8AI score0.00281EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.20 views

Linux Distros Unpatched Vulnerability : CVE-2026-9100

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection...

6CVSS5.8AI score0.00281EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/21 8:29 a.m.18 views

CVE-2026-9100

A flaw was found in the MongoDB C Driver's legacy GridFS API. This vulnerability allows an attacker to craft malicious documents in a GridFS collection. When an application reads these crafted files via the legacy API, it may either crash due to a division-by-zero error, leading to a Denial of...

6CVSS5.6AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 5:48 p.m.11 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input via the legacy GridFS file reader API. An attacker can cause a crash or leak process memory contents by supplying crafted documents with malformed file metadata to the...

6CVSS5.8AI score0.00281EPSS
Exploits0References2
Rows per page
Query Builder