6966 matches found
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Protocol Buffers vulnerability (USN-8063-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8063-1 advisory. It was discovered that Protocol Buffers incorrectly handled recursion when the Python google.protobuf.jsonformat.ParseDict function is being...
ASB-A-453649815
In parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a consent dialog to obtain permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
Security Bulletin: IBM Maximo Application Suite - Monitor Component uses qs-6.13.0.tgz, qs-6.14.0.tgz which is vulnerable to CVE-2025-15284.
Summary IBM Maximo Application Suite - Monitor Component uses qs-6.13.0.tgz, qs-6.14.0.tgz which is vulnerable to CVE-2025-15284. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs...
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
SUSE SLED15 / SLES15 Security Update : protobuf (SUSE-SU-2026:0618-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0618-1 advisory. i - CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python jsonformat.ParseDict bsc1257173. Tenable...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz
Summary IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. SummaryThe arrayLimit option in qs does not enforce...
CVE-2026-27609
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submit...
CVE-2026-27610
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only use...
CVE-2026-27595
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read...
CVE-2026-27608
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by...
Use of a Broken or Risky Cryptographic Algorithm
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the Google authentication. An attacker can gain unauthorized access to...
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
Parse Server 数据伪造问题漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.3 and 9.1.1-alpha.4 contained a data manipulation vulnerability. This vulnerability stemmed from an unverified attacker being...
CVE-2026-27804
Parse Server versions prior to 8.6.3 and 9.1.1-alpha.4 are vulnerable to unauthenticated login via forged Google tokens (alg: none). The root cause is trusting the JWT header for algorithm selection; the fix hardcodes RS256 and shifts key validation to jwks-rsa, rejecting unknown key IDs. Affecte...
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...