9 matches found
CVE-2026-14535
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...
CVE-2026-14535
The CVE affects Trail of Bits fickling up to version 0.1.11. The UnsafeImportsML analysis pass always calls AnalysisContext.shorten_code(node), populating shared AnalysisContext.reported_shortened_code. When MLAllowlist runs, it sees already_reported=True for every import and skips its allowlist ...
CVE-2026-14535 Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...
GHSA-9Q5M-JFC4-WC92 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances
Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...
CVE-2026-34363
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
GHSA-M983-V2FF-WQ65 LiveQuery protected field leak via shared mutable state across concurrent subscribers
Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...
LiveQuery protected field leak via shared mutable state across concurrent subscribers
Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...
PT-2026-29165
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.65 Parse Server versions prior to 9.7.0-alpha.9 Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where sensitive data can leak to unauthorized...
EUVD-2026-11677
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance...