Lucene search
+L

41 matches found

cvelist
cvelist
added 2026/07/09 7:12 a.m.32 views

CVE-2026-59269 Privilege Escalation via Active Directory LDAP injection in Pinniped Supervisor can be executed by an attacker who can edit LDAP Group DN entries

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the...

3.8CVSS0.0017EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.7 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score0.00615EPSS
Exploits0References16
ptsecurity
ptsecurity
added 2026/06/05 12:0 a.m.55 views

PT-2026-46985

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 5.0.0 Description Users can reset their Multi-Factor Authentication MFA token through API routes that trigger email notifications. Because there is no limit on the number of emails that can be sent, an attacker could...

2.1CVSS5.2AI score0.00278EPSS
Exploits0References13
cnnvd
cnnvd
added 2026/05/21 12:0 a.m.12 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/12 5:40 p.m.6 views

CVE-2026-44196 Pingvin Share X: TOTP Authentication Bypass via Password-only Login

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References1
nvd
nvd
added 2026/05/12 2:17 p.m.16 views

CVE-2026-43930

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive...

5.9CVSS0.00236EPSS
Exploits0References3
osv
osv
added 2026/03/27 7:14 a.m.3 views

BIT-PARSE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent logi...

2.7CVSS5.8AI score0.00175EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/03/26 3:16 p.m.4 views

CVE-2026-33624

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.7CVSS5.8AI score0.00175EPSS
Exploits0References1
snyk
snyk
added 2026/03/24 7:48 p.m.1 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to the single-use design of recovery codes. An attacker who obtains a...

6CVSS5.9AI score0.00175EPSS
Exploits0References2
nvd
nvd
added 2026/03/24 7:16 p.m.4 views

CVE-2026-33624

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.7CVSS0.00175EPSS
Exploits0References5
osv
osv
added 2026/03/24 6:28 p.m.4 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References7
vulnrichment
vulnrichment
added 2026/03/24 6:28 p.m.3 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References5
attackerkb
attackerkb
added 2026/03/24 6:28 p.m.3 views

CVE-2026-33624

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References6Affected Software1
osv
osv
added 2026/03/20 11:37 a.m.3 views

BIT-PARSE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/03/18 9:54 p.m.2 views

CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References3
osv
osv
added 2026/03/18 9:54 p.m.3 views

CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.9AI score0.00294EPSS
Exploits0References5
osv
osv
added 2026/03/17 7:50 p.m.6 views

GHSA-WJQW-R9X4-J59V Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5
github
github
added 2026/03/17 7:50 p.m.10 views

Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5Affected Software1
ptsecurity
ptsecurity
added 2026/03/17 12:0 a.m.13 views

PT-2026-25999

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References8
osv
osv
added 2026/03/03 9:35 p.m.6 views

GHSA-5MX2-2MGW-X8RM OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Summary BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events. Affected Component and Scope - Component: extensions/bluebubbles webhook handler - Scope: only...

6.3CVSS6AI score0.00249EPSS
Exploits0References6
Rows per page
Query Builder