EUVD-2026-14978

Parse Server: MFA recovery code single-use bypass via concurrent requests...

GHSA-2299-GHJR-6VJP Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

CVE-2026-33349

CVE-2026-33349 affects the fast-xml-parser library. The issue lives in the DocTypeReader for versions 4.0.0-beta.3 through before 5.5.7, where JavaScript truthy checks on maxEntityCount and maxEntitySize cause guard conditions to short‑circuit when 0 is explicitly set, bypassing limits. An attack...

EUVD-2026-14996

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...

CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

EUVD-2026-14992

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler UploadModel::handleUpload is concatenated directly into filesystem paths without any sanitization. An authenticated...

EUVD-2026-14976

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter...

CVE-2026-33322 MinIO: JWT Algorithm Confusion in OIDC Authentication

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and...

CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

CVE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

EUVD-2026-14967

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

CVE-2026-33161

CVE-2026-33161 — Craft CMS : A low-privileged authenticated user could call the assets/image-editor endpoint with the ID of a private asset they cannot view and still receive editor response data, including focalPoint, due to missing per-asset authorization validation. Affected versions: 4.0.0-RC...

CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response dat...

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...

CLSA-2026-1774366791 Fix CVE(s): CVE-2026-24484

SECURITY UPDATE: denial-of-service from nested multi-layer MVG-to-SVG conversions - debian/patches/CVE-2026-24484.patch: Throw VectorGraphicsNestedTooDeeply when vector-graphics nesting reaches MagickMaxRecursionDepth; fix crashes caused by unbounded nesting of graphic-context elements. -...

CVE-2026-33320

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the...

PT-2026-27479

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.0 Description Astro's Server Islands POST handler does not enforce a size limit when buffering and parsing JSON request bodies. The JSON.parse function allocates a V8 heap object for each element in the input,...