3 matches found
CVE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...
CVE-2025-13084
The groov View API exposes a users endpoint that returns a list of all users with metadata including their API keys. Access requires an Editor role, but the endpoint reveals API keys for all users, including Administrators, creating potential exposure and confidentiality impact. The issue is docu...
CVE-2025-9209
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated...