CVE-2026-30871 OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parsequestion function. The issue is triggered by PTR queries for reverse DNS domains .in-addr.arpa and .ip6.arp...

EUVD-2026-13247

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parsequestion function. The issue is triggered by PTR queries for reverse DNS domains .in-addr.arpa and .ip6.arp...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-33409 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-33409 Source advisory: OSV:GHSA-PFJ7-WV7C-22PR...

Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

GHSA-PFJ7-WV7C-22PR Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33409 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33409 Source advisory: SNYK:JS-PARSESERVER-15701838...

Missing Authentication for Critical Function

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33409 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33409 Source advisory: OSV:GHSA-PFJ7-WV7C-22PR...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33323 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33323 Source advisory: OSV:GHSA-H29G-Q5C2-9H4F...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-33323 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-33323 Source advisory: OSV:GHSA-H29G-Q5C2-9H4F...

Parse Server email verification resend page leaks user existence

Impact The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different...

GHSA-H29G-Q5C2-9H4F Parse Server email verification resend page leaks user existence

Impact The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33323 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33323 Source advisory: SNYK:JS-PARSESERVER-15701837...

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure through the Pages and legacy PublicAPI routes that do not respect emailVerifySuccessOnInvalidEmail...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution via the parse function. An attacker can manipulate the prototype chain by supplying a specially crafted string that causes the returned object to reference Array.prototype, allowing subsequent writes to that property...

Prototype Pollution via parse() in NodeJS flatted

--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...

GHSA-RF6F-7FWH-WJGH Prototype Pollution via parse() in NodeJS flatted

--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution via the parse function. An attacker can manipulate the prototype chain by supplying a specially crafted string that causes the returned object to reference Array.prototype, allowing subsequent writes to that property...