CVE-2026-22751 Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use TOCTOU race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0....

BIT-PARSE-2026-32943 Parse Server has a password reset token single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by...

CVE-2026-32943

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

EUVD-2026-12991

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

CVE-2026-32943

Parse Server prior to versions 9.6.0-alpha.28 and 8.6.48 did not enforce single-use for password-reset tokens, allowing a token to be consumed by concurrent requests. An attacker with an intercepted token could race a legitimate reset request, potentially changing a target account’s password. Sta...

CVE-2026-32943

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

PT-2026-26160

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

GHSA-6FX5-5CW5-4897 Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit

A Time-of-Check-Time-of-Use TOCTOU race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The getTokenRoute method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By...

EUVD-2025-4683

Malicious code in bioql PyPI...