660 matches found
PT-2026-26855
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback update user wechatshop info permissions check only validating that the supplied 'openid' parameter corresponds to ...
WordPress plugin REST API TO MiniProgram 输入验证错误漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
CVE-2026-32321
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
CVE-2026-32321 ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
EUVD-2026-12960
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
CVE-2026-32321 ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
CVE-2026-32321 ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
CVE-2026-32321
ClipBucket v5.x prior to 5.5.3 #80 contains an authenticated time-based blind SQL injection in the actions/ajax.php endpoint. The vulnerability arises from insufficient input sanitization of the userid parameter, enabling an authenticated attacker to execute arbitrary SQL queries, leading to full...
PT-2026-26155
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
ClipBucket SQL注入漏洞
ClipBucket is an open-source PHP script developed by MacWarrior. It is available for free download and used to host video websites. Versions of ClipBucket prior to 5.5.3 80 contained a SQL injection vulnerability. This vulnerability stemmed from insufficient cleaning of the userid parameter input...
Tiandy Integrated Management Platform SQL注入漏洞
Tiandy Integrated Management Platform is a comprehensive video surveillance management platform developed by Tiandy Company in China. Version 7.17.0 of Tiandy Integrated Management Platform contains a SQL injection vulnerability. This vulnerability stems from improper handling of the parameter...
CVE-2026-4171 CodeGenieApp serverless-express API Endpoint TodoList.ts authorization
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to...
CVE-2026-4171
CVE-2026-4171 affects CodeGenieApp serverless-express up to 4.17.1. The vulnerability involves the authorization of a TodoList.ts endpoint (examples/lambda-function-url/packages/api/models/TodoList.ts) where manipulating the userId bypasses authorization. It is exploitable remotely and has public...
CVE-2026-4171 CodeGenieApp serverless-express API Endpoint TodoList.ts authorization
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to...
PT-2026-25543
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to...
BIT-PARSE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection...
GHSA-FR88-W35C-R596 Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Impact The OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token...
EUVD-2026-10885
Parse Server OAuth2 authentication adapter account takeover via identity spoofing...
Insufficiently Protected Credentials
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the OAuth2 authentication process when the useridField option is not set. An attacke...
CVE-2026-30967
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspectio...