com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects

A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted javax.naming.Reference or serialized object to an application using the library. This can provoke the application to download and execute arbitrary...

EUVD-2026-10826

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

EUVD-2026-10827

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29793

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-29793

Feathersjs vulnerability CVE-2026-29793 affects Feathersjs 5.0.0–5.0.41 with Socket.IO client-supplied ids not type-checked, which may pass as MongoDB operators (e.g., {$ne: null}) into queries via the MongoDB adapter. This can cause unintended document matches and impacts on confidentiality, int...

CVE-2026-30957

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30957

CVE-2026-30957 / GHSA-JW8Q-GJVG-8W4Q describes a server-side remote code execution in OneUptime’s Synthetic Monitors. The root cause is that untrusted Synthetic Monitor code runs inside Node VM with live Playwright browser/page objects injected into the VM context. Although VMRunner proxies host ...

EUVD-2026-10562

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is...

CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...

CVE-2026-30938

Parse Server is affected by GHSA-Q342-9W2P-57FP, a vulnerability in the denylist keyword scan. The issue arises in the requestKeywordDenylist scanner: if a nested object/array appears before a prohibited keyword, the scanner exits prematurely, allowing bypass of the denylist. All deployments are ...

CVE-2026-30938 Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...

GHSA-JW8Q-GJVG-8W4Q OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page...

Improper Check for Unusual or Exceptional Conditions

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the Utils class. An attacker can bypass configured keyword...

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

PT-2026-24632

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

PT-2026-24421

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.0 through 5.0.41 Description Feathersjs is a framework used for building web APIs and real-time applications. Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch,...

Fortinet FortiClient Link Following Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Fortinet FortiClient. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of...

CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...