3912 matches found
CVE-2026-31871
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g.,...
CVE-2026-31871
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g.,...
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31856
CVE-2026-31856 affects Parse Server PostgreSQL storage adapter. The vulnerability allows SQL injection via Increment on nested object fields (e.g., stats.counter) where the amount is interpolated into the SQL query without parameterization, enabling reading data and bypassing CLPs/ACLs. MongoDB d...
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
Security update for ImageMagick
This update for ImageMagick fixes the following issue: CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion bsc1258790. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...
GHSA-54GX-3CGR-7MFM Cosmos EVM: incorrect state handling during nested EVM execution paths
Advisory ID: ASA-2026-002 Component: ICS20 Precompile Status: Resolved Published: March 2026 Contact: [email protected] --- Security Advisory ASA-2026-002 Status: Resolved. A patch is available and all known affected chains have either applied mitigations or upgraded. | Field | Value | | ---...
Cosmos EVM: incorrect state handling during nested EVM execution paths
Advisory ID: ASA-2026-002 Component: ICS20 Precompile Status: Resolved Published: March 2026 Contact: [email protected] --- Security Advisory ASA-2026-002 Status: Resolved. A patch is available and all known affected chains have either applied mitigations or upgraded. | Field | Value | | ---...
GHSA-GQPP-XGVH-9H7H Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...
EUVD-2026-11255
Parse Server vulnerable to SQL injection via Increment operation on nested object field in PostgreSQL...
SQL Injection
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot...
GHSA-Q3VJ-96H2-GWVG Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...
PT-2026-24760
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...
PT-2026-24750
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...
GO-2026-4577 malcontent: Nested archive extraction failure can drop content from scan inputs in github.com/chainguard-dev/malcontent
malcontent: Nested archive extraction failure can drop content from scan inputs in github.com/chainguard-dev/malcontent...
CVE-2026-30938
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...
CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...
CVE-2026-30938
Parse Server is affected by GHSA-Q342-9W2P-57FP, a vulnerability in the denylist keyword scan. The issue arises in the requestKeywordDenylist scanner: if a nested object/array appears before a prohibited keyword, the scanner exits prematurely, allowing bypass of the denylist. All deployments are ...