5.3
CVE-2026-30954 - LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()
LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.
7.7
CVE-2026-30953 - LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing serveβ¦
7.4
CVE-2025-66413 - Git for Windows leaks NTLM hash when cloning from an attacker-controlled server
Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fβ¦
8.7
CVE-2026-30952 - liquidjs has a path traversal fallback vulnerability
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the deβ¦
7.5
CVE-2026-30951 - Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls Jβ¦
7.6
CVE-2026-30949 - Parse Server is missing audience validation in Keycloak authentication adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid accesβ¦
8.3
CVE-2026-30948 - Parse Server has stored cross-site scripting (XSS) via SVG file upload
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Contβ¦
8.7
CVE-2026-30947 - Parse Server ha a bypass of class-level permissions in LiveQuery
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled claβ¦
5.4
CVE-2025-13213 - Multiple vulnerabilities in IBM Aspera Orchestrator
IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system,Β including cross-site scripting, cache poisoning or session hijacking
8.7
CVE-2026-30946 - Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limiβ¦