14725 matches found
GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint
Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...
EUVD-2026-10508
Cross-site Scripting XSS allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page...
Build Transformative Security with AI-Powered WAF Detections
...
Prototype Pollution
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Prototype Pollution via triggers.js when a prototype property name is used as the function name. An attacker can terminate t...
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
Impact An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud...
Fortinet FortiWeb 安全漏洞
Fortinet FortiWeb is a Web application layer firewall developed by the American company Fortinet. It can block threats such as cross-site scripting, SQL injection, cookie poisoning, and schema poisoning, ensuring the security of web applications and protecting sensitive database content. Fortinet...
Fortinet FortiWeb 操作系统命令注入漏洞
Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...
PT-2026-24188
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2 Description An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint wit...
OliveTin 路径遍历漏洞
OliveTin is OliveTin open source a Web application . OliveTin has a path traversal vulnerability, which is caused by an unsafe resolution of UniqueTrackingId, and can be exploited by an attacker to traverse directories on the system...
CVE-2025-70040
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information...
CVE-2025-41755
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open e.g., /tmp/weblogsomenumber, but this parameter is not properly validated, allowing an attacker to modify it to...
CVE-2026-3806 SourceCodester/janobe Resort Reservation System room_rates.php sql injection
A weakness has been identified in SourceCodester/janobe Resort Reservation System 1.0. This issue affects some unknown processing of the file /roomrates.php. This manipulation of the argument q causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...
PT-2026-24056
A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. This issue affects some unknown processing of the file /patient-search.php. The manipulation results in improper authorization. The attack can be launched remotely. The exploit is now public and may ...
CVE-2025-70033
CVE-2025-70033 affects Sunbird-Ed SunbirdEd-portal v1.13.4. The issue is CWE-79: Improper Neutralization of Input During Web Page Generation in Sunbird-Ed’s portal. CVSSv3.1 base: 5.4 (MEDIUM) with Network attack vector, Low confidentiality and integrity impact, no availability impact; user inter...
Advantech ADAM-5550 Weak Encoding For Password (CVE-2024-37187)
Advantech ADAM 5550's web application includes a 'logs' page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output This plugin only works with Tenable.ot. Please visit...
CVE-2025-70040
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information...
CVE-2026-3740
A weakness has been identified in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /adminsearchstudent.php. This manipulation of the argument adminsearchstudent causes sql injection. The attack is possible to be carried out remotely. The exploit has been...
AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)
Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...
CVE-2026-3710 code-projects Simple Flight Ticket Booking System Adminadd.php sql injection
A security vulnerability has been detected in code-projects Simple Flight Ticket Booking System 1.0. This impacts an unknown function of the file /Adminadd.php. The manipulation of the argument flightno/airplaneid/departure/dtime/arrival/atime/ec/ep/bc/bp leads to sql injection. Remote exploitati...
CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...