RiteCMS 安全漏洞

RiteCMS is an open source content management system based on php and sqlite. RiteCMS has a code execution vulnerability that stems from a flaw in the parsespecialtags function, which can be exploited by an attacker to cause remote code execution...

PT-2025-51937

Name of the Vulnerable Software and Affected Versions mcp-server-git versions prior to 2025.12.17 Description The git diff and git checkout functions in mcp-server-git did not properly sanitize user-supplied arguments before passing them to git CLI commands. Specifically, flag-like values, such a...

CVE-2025-67172

RiteCMS CVE-2025-67172 affects RiteCMS v3.1.0 and stems from a flaw in the parse_special_tags function, enabling authenticated remote code execution. The vulnerability is documented across multiple sources (NVD, RH, CNVD, OSV, EUVD, CNNVD, CVE lists) with CVSS v3.1 base score 7.2 (HIGH), Attack V...

Oracle Linux 7 : kernel (ELSA-2025-21063)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-21063 advisory. - HID: core: fix shift-out-of-bounds in hidreportrawevent CVE-2022-48978 Orabug: 38644370 - crypto: seqiv - Handle EBUSY correctly CVE-2023-53373...

PT-2025-51851

RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution RCE vulnerability via the parse special tags function...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2025-68150 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2025-68150 Source advisory: OSV:GHSA-3F5F-XGRJ-97PF...

Server-side Request Forgery (SSRF)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the apiURL parameter in authData used by the Instagram OAuth adapter. An attacker can...

EUVD-2025-203837

Parse Server is vulnerable to Server-Side Request Forgery SSRF via Instagram OAuth Adapter...

GHSA-3F5F-XGRJ-97PF Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Impact The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. Patches Fixed by hardcoding the...

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Impact The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. Patches Fixed by hardcoding the...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2025-68115 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2025-68115 Source advisory: OSV:GHSA-JHGF-2H8H-GGXV...

GHSA-JHGF-2H8H-GGXV Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Impact A Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. Patches The patch escapes user controlled values that are inserted into the HTML pages. Workarounds None. Resources -...

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Impact A Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. Patches The patch escapes user controlled values that are inserted into the HTML pages. Workarounds None. Resources -...

CVE-2025-68150

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

CVE-2025-68150

CVE-2025-68150 affects Parse Server where the Instagram OAuth adapter allows an attacker to supply a custom apiURL in authData, enabling Server-Side Request Forgery (SSRF) and potentially authentication bypass by hitting malicious endpoints. Root cause: client-provided apiURL is not validated and...

CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

CVE-2025-67727

Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...

EUVD-2025-203641

In the Linux kernel, the following vulnerability has been resolved: archtopology: Fix incorrect error check in topologyparsecpucapacity Fix incorrect use of PTRERRORZERO in topologyparsecpucapacity which causes the code to proceed with NULL clock pointers. The current logic uses !PTRERRORZEROcpuc...