CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/12 6:35 p.m.•9 views

CVE-2026-53725

Parse Server up to version 9.9.1-alpha.5 contains a vulnerability in MFA handling: when _User get is denied by Class-Level Permissions, the /login and /verifyPassword endpoints may bypass CLP/protectedFields sanitization and return raw database rows, exposing MFA data (MFA TOTP secrets and recove...

5.9CVSS5.3AI score0.00251EPSS

Cvelist•added 2026/06/12 6:35 p.m.•26 views

CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied

5.9CVSS0.00251EPSS

Vulnrichment•added 2026/06/12 6:35 p.m.•7 views

CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied

5.9CVSS5.2AI score0.00251EPSS

Positive Technologies•added 2026/06/05 12:0 a.m.•10 views

PT-2026-46997

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The shared-view password check used strict-equality === comparison for legacy plaintext passwords. This creates a timing oracle, allowing a network-positioned attacker to leak the password length...

6.9CVSS5.9AI score0.00253EPSS

Exploits0References5

OSV•added 2026/04/06 2:49 p.m.•1 views

BIT-PARSE-2026-34215 Parse Server: Auth data exposed via verify password endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who...

RedhatCVE•added 2026/04/01 11:0 p.m.•2 views

Exploits0References6

CVE-2026-34215

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...

ATTACKERKB•added 2026/03/31 7:34 p.m.•2 views

Exploits0References1

CVE-2026-34215

Exploits0References10Affected Software1

Vulnrichment•added 2026/03/31 7:34 p.m.•1 views

CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint

Cvelist•added 2026/03/31 7:34 p.m.•24 views

Exploits0References5

CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint

8.2CVSS0.00303EPSS

Exploits0References5

CVE•added 2026/03/31 7:34 p.m.•18 views

CVE-2026-34215

Parse Server exposes sensitive authentication data via the verifyPassword endpoint. Affected versions are before 8.6.63 and 9.7.0-alpha.7. The endpoint returns unsanitized data including MFA TOTP secrets, recovery codes, and OAuth access tokens, enabling an attacker who knows a user’s password to...

Exploits0References5Affected Software1

OSV•added 2026/03/31 7:34 p.m.•2 views

CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint

Snyk•added 2026/03/29 3:14 p.m.•1 views

Exploits0References7

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the verifyPassword endpoint. An attacker can obtain sensitive authentication data, such as MFA TOTP...

OSV•added 2026/03/29 3:14 p.m.•4 views

GHSA-WP76-GG32-8258 Parse Server exposes auth data via verify password endpoint

Impact The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. Patch...

Github Security Blog•added 2026/03/29 3:14 p.m.•4 views

Exploits0References11

Parse Server exposes auth data via verify password endpoint

Exploits0References11Affected Software1

Positive Technologies•added 2026/03/29 12:0 a.m.•13 views

PT-2026-28610

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.63 Parse Server versions prior to 9.7.0-alpha.7 Description The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attack...

OSV•added 2026/03/13 9:9 p.m.•4 views

Exploits0References18

CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by...

6.9CVSS5.9AI score0.00321EPSS

Exploits1References3

OSV•added 2024/04/19 6:15 p.m.•3 views

CVE-2023-47435

An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages...

9.8CVSS5.8AI score0.00632EPSS

Exploits0References1

Positive Technologies•added 2024/04/19 12:0 a.m.•5 views

PT-2024-13451 · Unknown · Hexo-Theme-Matery

Name of the Vulnerable Software and Affected Versions: hexo-theme-matery version 2.0.0 Description: The issue lies in the verifyPassword function, allowing attackers to bypass authentication and access password-protected pages. Recommendations: For hexo-theme-matery version 2.0.0, as a temporary...

9.8CVSS7.3AI score0.00632EPSS