Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.3 and 8.6.29 have a SQL injection vulnerability. This vulnerability stems from the improper handling of the Increme...

PT-2026-24750

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

CVE-2026-25574

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference IDOR vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default...

SUSE CVE-2026-23110

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes o...

CLSA-2026-1769163825 gnupg2: Fix of CVE-2025-68973

CVE-2025-68973: fix faulty double increment...

CLSA-2026-1769162862 gnupg2: Fix of CVE-2025-68973

CVE-2025-68973: fix faulty double increment...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004027)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004027 advisory. An issue was discovered in kmemcacheallocbulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-004721)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004721 advisory. An issue was discovered in kmemcacheallocbulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71...

CVE-2024-34046

The O-RAN E2T I-Release Prometheus metric Increment function can crash in sctpThread.cpp for message.peerInfo-sctpParams-e2tCountersINSUCCMSGCOUNTERProcedureCodeidRICsubscription-Increment...

SUSE CVE-2025-68973

In GnuPG before 2.4.9, armorfilter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. For ExtendedLTS, 2.2.51 and later are fixed versions...

CVE-2025-68973

In GnuPG before 2.4.9, armorfilter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. For ExtendedLTS, 2.2.51 and later are fixed versions...

CVE-2025-68973

In GnuPG before 2.4.9, armorfilter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. For ExtendedLTS, 2.2.51 and later are fixed versions...

CVE-2025-68973

CVE-2025-68973 affects GnuPG (gnupg2) through versions before 2.4.9. The issue is in armor_filter() in g10/armor.c where two increments of an index variable are not both intended, enabling an out-of-bounds write with crafted input. In practice, advisories describe potential information disclosure...

CVE-2022-50764 ipv6/sit: use DEV_STATS_INC() to avoid data-races

In the Linux kernel, the following vulnerability has been resolved: ipv6/sit: use DEVSTATSINC to avoid data-races syzbot/KCSAN reported that multiple cpus are updating dev-stats.txerror concurrently. This is because sit tunnels are NETIFFLLTX, meaning their ndostartxmit is not protected by a...

CVE-2022-50764 ipv6/sit: use DEV_STATS_INC() to avoid data-races

In the Linux kernel, the following vulnerability has been resolved: ipv6/sit: use DEVSTATSINC to avoid data-races syzbot/KCSAN reported that multiple cpus are updating dev-stats.txerror concurrently. This is because sit tunnels are NETIFFLLTX, meaning their ndostartxmit is not protected by a...

kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy

In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfsmdtdestroy In allocinode, inodeinitalways could return -ENOMEM if securityinodealloc fails, which causes inode-iprivate uninitialized. Then nilfsismetadatafileinode returns true and nilfsfreeinode...

CVE-2025-40342

In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing portstate and rport state nvmefcunregisterremote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because...

Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...

MAL-2025-174460 Malicious code in goodain-nusia-nuai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a1e189d8fe46cded8a4786ebfcaba4c4bd01516ad426bdc28d8fc08bc795e85 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...