8.2
CVE-2026-34573 - Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. β¦
4.9
CVE-2026-4819 - Search Guard audit logs can contain under certain conditions user credentials
In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana.
5.4
CVE-2026-22569 - Incorrect startup configuration in ZCC
An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may cause a limited amount of traffic from being inspected under rare circumstances.
6.8
CVE-2026-4818 - Some management operations on data streams are not properly restricted when user does not have the β¦
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.
9.1
CVE-2026-34532 - Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Funβ¦
4.3
CVE-2026-4799 - Open redirect vulnerability in Search Guard Kibana Plugin via manipulated requests
In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL.
5.3
CVE-2026-34373 - Parse Server: GraphQL API endpoint ignores CORS origin restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypassβ¦
8.2
CVE-2026-34363 - Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. β¦
9.6
CVE-2026-0596 - Command Injection in mlflow/mlflow
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it β¦
2.1
CVE-2026-34224 - Parse Server: MFA single-use token bypass via concurrent authData login requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticatβ¦