9.1
CVE-2026-32242 - Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent auβ¦
4.4
CVE-2026-32237 - @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-runβ¦
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parβ¦
1.7
CVE-2026-32236 - @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_idβ¦
5.9
CVE-2026-32235 - @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass
Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents andβ¦
8.2
CVE-2026-32138 - NEXULEAN API Key Leak
NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services withoβ¦
2.7
CVE-2026-3497 - openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the pβ¦
8.8
CVE-2026-32232 - ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6.
8.2
CVE-2026-32231 - ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked agaβ¦
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None)β¦
5.3
CVE-2026-32142 - shopware/commercial: `/api/_info/config` route exposes information about licenses
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
5.4
CVE-2025-13913 - Inductive Automation Ignition Software Deserialization of Untrusted Data
A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.