EUVD-2026-11689

Parse Server: Account takeover via operator injection in authentication data identifier...

GHSA-5FW2-8JCV-XH87 Parse Server: Account takeover via operator injection in authentication data identifier

Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier e.g. anonymous authentication. By sending a crafted login request, the attacker can cause the server to perform a...

Parse Server: Account takeover via operator injection in authentication data identifier

Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier e.g. anonymous authentication. By sending a crafted login request, the attacker can cause the server to perform a...

GHSA-C442-97QW-J6C6 Parse Server has a SQL injection via query field name when using PostgreSQL

Impact An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation...

Parse Server has a SQL injection via query field name when using PostgreSQL

Impact An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation...

CVE-2019-25515

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and...

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-31881

CVE-2026-31881 (Runtipi): Affects the Runtipi personal homeserver orchestrator. Before version 4.8.0, an unauthenticated attacker could exploit the password reset flow at POST /api/auth/reset-password during an active 15-minute reset window to set a new operator password and gain admin access, ca...

CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2019-25483 Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k Restricted Shell Escape

Comtrend AR-5310 GE31-412SSG-C01R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $ . Attackers can inject arbitrary commands through the $ syntax when passed as arguments to allowed...

Important: Red Hat Security Advisory: RHTAS 1.3.2 - Tech Preview Release Of the Model Validation Operator

The Tech Preview release of the RHTAS Model Validation Operator. For more details please visit the product documentation at https://access.redhat.com/documentation/en-us/redhattrustedartifactsigner/1.3 The RHTAS Model Validation Operator can be used with OpenShift Container Platform 4.16, 4.17,...

CVE-2026-30962

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

EUVD-2026-10826

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

GHSA-P9XR-7P9P-GPQX Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

CVE-2026-30962

Parse Server is vulnerable prior to versions 9.5.2-alpha.6 and 8.6.19 due to a flawed protection check that only validates top-level query keys for protected fields. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed, allowing any authenticated us...

GO-2026-4591 Rancher Backup Operator pod's logs leak S3 tokens in github.com/rancher/backup-restore-operator

Rancher Backup Operator pod's logs leak S3 tokens in github.com/rancher/backup-restore-operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...

CVE-2026-25679 vulnerabilities

Vulnerabilities for packages: kind, ratify, cluster-api-aws-controller, kube-bench, prometheus-alertmanager, nri-prometheus, cluster-api-provider-vsphere, rancher-telemetry, cert-manager, kubernetes-ingress-defaultbackend, azurefile-csi, git-sync, pluto, php-fpmexporter, yace,...

GHSA-J3GX-2473-5FP8 vulnerabilities

Vulnerabilities for packages: kind, ratify, cluster-api-aws-controller, kube-bench, prometheus-alertmanager, nri-prometheus, cluster-api-provider-vsphere, rancher-telemetry, cert-manager, kubernetes-ingress-defaultbackend, azurefile-csi, git-sync, pluto, php-fpmexporter, yace,...