CVE-2026-0686

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

WordPress plugin Webmention 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

NanoMQ 安全漏洞

NanoMQ is an open-source IoT edge platform broker developed by EMQ in the United States. There is a security vulnerability in NanoMQ, which stems from the use of the hookworkcb function to parse message bodies using cJSONParse. This leads to out-of-bounds read access to unallocated memory...

PT-2026-29686

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

PT-2026-29862

NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook inproc.c, the hook work cb function processes nng messages by parsing the message body with cJSON Parsebody. The body is obtained from nng msg bodymsg, which is a binary buffer withou...

EUVD-2026-17608

Parser Server's streaming file download bypasses afterFind file trigger authorization...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34784 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34784 Source advisory: OSV:GHSA-HPM8-9QX6-JVWV...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-34784 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-34784 Source advisory: OSV:GHSA-HPM8-9QX6-JVWV...

Parser Server's streaming file download bypasses afterFind file trigger authorization

Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34215

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...

CVE-2026-34224

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

CVE-2026-34373

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

CVE-2026-34363

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

CVE-2026-34532

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...

OPENSUSE-SU-2026:20459-1 Security update for perl-XML-Parser

This update for perl-XML-Parser fixes the following issues: - CVE-2006-10002: heap buffer overflow in parsestream when processing UTF-8 input streams bsc1259901. - CVE-2006-10003: off-by-one heap buffer overflow in stserialstack bsc1259902...

EUVD-2026-17504

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34595 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34595 Source advisory: OSV:GHSA-MMG8-87C5-JRC2...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34595 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34595 Source advisory: OSV:GHSA-MMG8-87C5-JRC2...

Access of Resource Using Incompatible Type ('Type Confusion')

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the LiveQuery subscription process when an authenticated use...