18 matches found
CVE-2026-44451
Lumiverse prior to version 0.9.7 has a sandbox escape vulnerability in its component override system. The system transpiles user TSX with Sucrase and evaluates it via new Function, shadowing dangerous globals (fetch, window, eval, etc.). A static validator blocks identifiers, but a string-split b...
EUVD-2026-31362
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...
CVE-2026-43529
OpenClaw before 2026.4.10 has a time-of-check-time-of-use (TOCTOU) race condition in validateScriptFileForShellBleed that lets a local attacker with workspace write access bypass workspace boundary checks. The attacker can race-condition the target file swap between validation and preflight read,...
BIT-PARSE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function...
GHSA-VPJ2-QQ7W-5QQ6 parse-server has cloud function validator bypass via prototype chain traversal
Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...
parse-server has cloud function validator bypass via prototype chain traversal
Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...
CVE-2026-34532
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...
CVE-2026-34532
Parse Server vulnerability CVE-2026-34532: An attacker could bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler uses the function keyword and its validator is a plain object or arrow function, the tri...
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...
CVE-2026-34532
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...
PT-2026-29272
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.67 Parse Server versions prior to 9.7.0-alpha.11 Description Parse Server is an open source backend deployable on Node.js infrastructures. An attacker can bypass Cloud Function validator access controls by...
Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js
Summary There are multiple vulnerabilities in Java and Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiali...
GHSA-2GW2-QGJG-XH6P Namada-apps allows Post-Genesis Validator Bypass
Impact Ledger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the --force flag. If this validator gets into the consensus set, then when computing PoS inflation inside fn updaterewardsproductsandmintinflation, an instance of mulfloor will cause t...
Namada-apps allows Post-Genesis Validator Bypass
Impact Ledger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the --force flag. If this validator gets into the consensus set, then when computing PoS inflation inside fn updaterewardsproductsandmintinflation, an instance of mulfloor will cause t...
Google Chrome HTML Validator Bypass Vulnerability
Chrome is a simple and efficiently designed web browsing tool developed by Google that is characterized by its simplicity and speed. An HTML validator bypass vulnerability exists in Google Chrome versions prior to 80.0.3987.87. The vulnerability stems from an improper implementation of Blink in...
Joyent Node.js validator security bypass vulnerability (CNVD-2016-02546)
Joyent Node.js is a web application platform built on top of Google's V8 JavaScript engine. A security vulnerability in Joyent Node.js validator allows remote attackers to bypass filters by submitting special input...