Latest CVE Feed
Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organiza…
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator coul…
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _U…
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be …
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privi…
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privi…
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relat…
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to presen…
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset o…
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled…
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts …
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema me…
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API…
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-kn…
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints vali…
Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endp…
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during …
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during …
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate …
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into…