CVE-2026-33888

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying...

CVE-2026-32811

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits t...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-30860

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within...

taffy: taffydb: Internal Property Tampering

taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found...

RHEL 8 / 9 : Satellite 6.16.5.6 Async Update (Moderate) (RHSA-2025:21894)

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:21894 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to...

EUVD-2022-6139

Malicious code in bioql PyPI...

CVE-2024-37155

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

CVE-2019-17426

Automattic Mongoose through 5.7.4 allows attackers to bypass access control in some applications because any query object with a bsontype attribute is ignored. For example, adding "bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around...

CVE-2025-32033 Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters e.g. for a query's height. If a counter...

GHSA-84M6-5M72-45FP Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow

Impact Summary A vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow. Details The operation limits plugin uses unsigned 32-bit integers to track limit counters e.g. for a query's height. If a counter exceeded the maxim...

Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow

Impact Summary A vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow. Details The operation limits plugin uses unsigned 32-bit integers to track limit counters e.g. for a query's height. If a counter exceeded the maxim...

Apollo Federation 安全漏洞

Apollo Federation is an architecture for the Apollo community to declaratively combine APIs into a unified graph. A security vulnerability exists in Apollo Federation versions prior to 2.10.1 that stems from a query optimization bypass that could lead to a denial of service...

GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...

GHSA-5MPW-4546-2WCR Elasticsearch Incorrect Authorization vulnerability

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow...

SUSE CVE-2013-0155

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NU...

SUSE CVE-2016-6317

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing...

CVE-2022-32226

An improper access control vulnerability exists in Rocket.Chat v5, v4.8.2 and v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that instead of a matching rid String a$regex query can be...

Internal Property Tampering

Overview taffydb is an open source JavaScript library that provides in-memory database capabilities Affected versions of this package are vulnerable to Internal Property Tampering. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forge...

ZOHO ManageEngine OpManager Security Restriction Bypass Vulnerability

ZOHO ManageEngine OpManager is network performance management software. A security vulnerability exists in PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5 and earlier versions. An attacker can exploit this vulnerability to bypass sql query restrictions...