6.3
CVE-2026-30850 - Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used asβ¦
6.3
CVE-2026-30848 - Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pβ¦
9.3
CVE-2026-30863 - Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration opβ¦
8.7
CVE-2026-29196 - Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys
Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/{network} or GET /api/nodes/{network}. While the Netmaker UI restricts visibility, the API β¦
6.9
CVE-2026-29195 - Netmaker: Privilege Escalation from Admin to Super-Admin via User Update
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to anβ¦
8.6
CVE-2026-29194 - Netmaker: Insufficient Authorization in Host Token Verification
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication (hostAllowed=true), a valid host token bypasses all subsequent authorization checks without verifying that the host isβ¦
5.9
CVE-2026-29076 - cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recuβ¦
8.1
CVE-2026-28678 - dsa-hub-server: Clear-Text Storage of Sensitive Data
DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protectionβ¦
2.3
CVE-2026-3668 - Freedom Factory dGEN1 org.ethosmobile.webpwaemul AndroidEthereum access control
A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high compβ¦
5.1
CVE-2026-30838 - league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be renβ¦