Astra Linux - уязвимость в postgresql-11

A flaw was discovered in PostgreSQL versions prior to 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20, and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, ther...

[SECURITY] Fedora 42 Update: coturn-4.11.0-1.fc42

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

Summary Kysely 0.28.12 added a sanitizeStringLiteral call inside DefaultQueryCompiler.visitJSONPathLeg commit 0a602bf, PR 1727 to fix CVE-2026-32763 GHSA-wmrf-hv6w-mr66. The fix only doubles single quotes ' → ''; it does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled...

CVE-2026-40906

Electric’s CVE-2026-40906 describes an error-based SQL injection in the order_by parameter of the ElectricSQL /v1/shape API in Electric (Postgres sync engine). Affected versions range from 1.1.12 up to before 1.5.0; an authenticated user could craft ORDER BY expressions to read, write, and destro...

CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

GHSA-27H3-CRW2-Q36W SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-30778 Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

S3CDM: A Secret-Sharing-Scheme-Based Cyberattack Detection Model and Its Simulation Implementation

We design and develop a secret-sharing-scheme-based cyberattack detection modelS3CDMthat can detect unauthorized or illegal activities especially insider attacks and protect sensitive information within complex network infrastructures of large organizations. The model splits a secret among a grou...

CVE-2026-34977

Aperi'Solve is an open-source steganalysis web platform. Prior to version 3.2.1, uploading a JPEG with an optional password leads the password to be passed into an expect command and then into a bash -c command without sanitization. An unauthenticated attacker can achieve root-level RCE inside th...

CVE-2026-34455

Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...

EUVD-2026-15947

n8n has SQL Injection in Data Table Node via orderByColumn Expression...

CVE-2026-32950

CVE-2026-32950 affects SQLBot prior to 1.7.0, where an authenticated user can trigger a critical SQL Injection in the /api/v1/datasource/uploadExcel endpoint. The root cause is unsanitized Excel sheet names concatenated into PostgreSQL table names and embedded into COPY statements via f-strings i...

Express - Node.js API with PostgreSQL 代码问题漏洞

Express - Node.js API with PostgreSQL is a RESTful API service developed by Jawher Kl, based on Node.js and PostgreSQL. There are code issues and vulnerabilities in versions 2.5 and earlier of Express - Node.js API with PostgreSQL. These vulnerabilities stem from incorrect operations on the...

PT-2026-25058

Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier e.g. anonymous authentication. By sending a crafted login request, the attacker can cause the server to perform a...

CVE-2026-31871

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g.,...

CVE-2026-31840

CVE-2026-31840 affects Parse Server (Node.js backend) deployed with PostgreSQL. The issue is a SQL injection via dot-notation field names used with the sort, distinct, or where query parameters, due to improper escaping of sub-field values. Affected versions are prior to 9.6.0-alpha.2 and 8.6.28;...

CVE-2026-27005

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...

[SECURITY] Fedora 43 Update: coturn-4.9.0-1.fc43

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

GHSA-45RP-9P97-H852 NocoDB Vulnerable to SQL Injection via DATEADD Formula

Summary An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. Details The third argument unit of DATEADD was interpolated directly into knex.raw queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST...

CVE-2026-23984

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...