EUVD-2026-17504

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value...

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Impact An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property an "array-like" obje...

Linux Distros Unpatched Vulnerability : CVE-2026-34043

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerabili...

Uncontrolled Search Path Element

Overview openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this...

Prototype Pollution

Overview org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the .unset and .omit functions. An attacker can delete properties from built-in prototypes by supplying...

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

CVE-2026-34220

CVE-2026-34220 affects mikro-orm (TypeScript ORM for Node.js). A SQL injection vulnerability exists in versions prior to 6.6.10 and 7.0.6, triggered when specially crafted objects are interpreted as raw SQL query fragments during ORM write APIs (e.g., wrap(entity).assign(userInput) followed by em...

CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6....

CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6....

CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6....

CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...

CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...

CVE-2026-34043

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...

UBUNTU-CVE-2026-34043

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...

CVE-2026-34043 Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...

CVE-2026-34043 Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...

CVE-2026-34043

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...

CVE-2026-34043

CVE-2026-34043 affects the Node.js module serialize-javascript. The vulnerability causes a DoS via CPU exhaustion when serializing a specially crafted array-like object with a very large length, leading to a 100% CPU loop and hang. This is fixed in version 7.0.5; affected deployments should upgra...

MikroORM SQL注入漏洞

MikroORM is an open-source framework from MikroORM that supports type-safe object-relational mapping for multiple databases. Versions of MikroORM prior to 6.6.10 and 7.0.6 contained a SQL injection vulnerability. This vulnerability arises from the interpretation of specially crafted objects as ra...

Parse Server 竞争条件问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were vulnerabilities due to concurrency issues in versions of Parse Server prior to 8.6.65 and 9.7.0-alpha.9. These vulnerabilities stemmed from the sensitive...