10 matches found
CVE-2026-44206
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4...
EUVD-2026-36490
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4...
CVE-2026-44206 Frappe: DB Schema Enumeration via Frappe-Authorization-Source
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4...
CVE-2026-44206
Frappe (full-stack web application framework) contains CVE-2026-44206, where DB Schema Enumeration is possible via a vulnerable endpoint prior to versions 15.107.2 and 16.17.4. The issue has been patched in those versions. The CVSS 4.0 base score is 6.9 (MEDIUM) with network attack vector, low co...
CVE-2026-44206 Frappe: DB Schema Enumeration via Frappe-Authorization-Source
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4...
PT-2026-48889
Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4...
Information Exposure
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the Did you mean ...? suggestions in GraphQL validation-error messages. An attacker can enumerate...
CVE-2025-56450
CVE-2025-56450 affects Log2Space Subscriber Management Software 1.1. The vulnerability is an unauthenticated SQL injection in the /l2s/api/selfcareLeadHistory endpoint, exploitable via the lead_id parameter in a crafted POST request. The backend fails to sanitize input, enabling enumeration of da...
GHSA-6JQM-3C9G-PCH7 @cubejs-backend/api-gateway row level security bypass
Impact All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. Patches The change has been reverted in 0.31.24 Workarounds Upgrade to =0.31.24 or downgrade to =0.31.22 Post mortem As part of implementing the Cube Cloud...
Blisqy - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB)
A slow data siphon for MySQL/MariaDB using bitwise operation on printable ASCII characters, via a blind-SQL injection. Usage USAGE: blisqy.py --server --port --header --hvalue --inject --payload --dig --sleeptime Options: -h, --help show this help message and exit --server=WEBSERVER Specify host...