5549 matches found
GHSA-PFJ7-WV7C-22PR Parse Server has an auth provider validation bypass on login via partial authData
Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...
CVE-2026-27979
A denial of service flaw has been discovered in Next.js. A request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode...
CVE-2026-27979
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979
Next.js CVE-2026-27979 affects Next.js 16.0.1 through 16.1.6 in non-minimal deployments with Partial Prerendering enabled. A request containing the next-resume: 1 header can cause unbounded postponed-body buffering, consuming memory and enabling DoS. The issue is fixed in 16.1.7 by enforcing size...
CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
Allocation of Resources Without Limits or Throttling
Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the unbounded postponed resume-body buffering behavior of the next-resume: 1 header. An attacker can cause excessive memory usage and disrupt service...
Next.js: Unbounded postponed resume buffering can lead to DoS
Summary A request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments...
PT-2026-25969
Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.6 Description Next.js, a React framework for building full-stack web applications, is affected by an issue where requests containing the next-resume: 1 header can lead to excessive memory usage and potentia...
EUVD-2016-10815
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
CVE-2016-20030
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
CVE-2016-20030
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
CVE-2016-20030
CVE-2016-20030 affects ZKTeco ZKBioSecurity 3.0. The vulnerability is a user enumeration flaw in the authLoginAction!login.do endpoint that allows unauthenticated attackers to determine valid usernames by submitting partial usernames. Attack responses reveal username validity, enabling attackers ...
PT-2026-25728
Name of the Vulnerable Software and Affected Versions ZKTeco ZKBioSecurity version 3.0 Description The software contains a flaw that allows unauthenticated attackers to discover valid usernames. This is possible by submitting partial characters through the username parameter. Attackers can send...
CVE-2019-25470
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentia...
EUVD-2026-11143
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'namedirectoryname' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2026-3178
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'namedirectoryname' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...