Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Impact An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolea...

PT-2026-26760

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.54 Parse Server versions prior to 9.6.0-alpha.43 Description Parse Server contains a flaw where an attacker can subscribe to LiveQuery using a watch parameter that targets a protected field. While the actual...

CVE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

GHSA-J7MM-F4RV-6Q6Q Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Impact An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field including via dot-notation or $regex, the attacker can observe whether LiveQuery events are delivere...

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Impact An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field including via dot-notation or $regex, the attacker can observe whether LiveQuery events are delivere...

PT-2026-5967

Name of the Vulnerable Software and Affected Versions NanoMQ versions prior to 0.24.7 Description NanoMQ MQTT Broker NanoMQ has an issue related to protocol parsing and forwarding when handling shared subscriptions $share/. A malformed SUBSCRIBE topic, such as $share/ab missing the second /, is n...

OESA-2022-1768 gupnp security update

GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most...