6715 matches found
CVE-2026-30228
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...
CVE-2026-29795
stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::fromstr does not validate that the input length is within the declared maximum MAX. Calling StringM::::fromstrs where s is longer than N bytes succeeds and returns a...
CVE-2026-29182
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some...
Server-side Request Forgery (SSRF)
Overview std/net/url is a Go standard library package std/net/url Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to insufficient validation of the url.Parse process. An attacker can bypass expected URL parsing restrictions by supplying specially crafted...
CVE-2026-29795 stellar-xdr: `StringM::from_str` bypasses max length validation
stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::fromstr does not validate that the input length is within the declared maximum MAX. Calling StringM::::fromstrs where s is longer than N bytes succeeds and returns a...
CVE-2026-30835
Parse Server vulnerability CVE-2026-30835 affects Parse Server before versions 8.6.7 and 9.5.0-alpha.6, where a malformed $regex query parameter can cause the database to return a structured error object unsanitized through the API response. This leaks internal database details such as error mess...
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...
CVE-2026-30835
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...
CVE-2026-30229
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...
CVE-2026-30229
CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...
CVE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...
CVE-2026-30228
Parse Server is affected where the readOnlyMasterKey is used with the Files API (POST /files/:filename, DELETE /files/:filename). Prior to versions 8.6.5 and 9.5.0-alpha.3, this could bypass the read-only restriction, allowing an attacker with the readOnlyMasterKey to upload arbitrary files or de...
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...
CVE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...
CVE-2026-30228
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...