field
54 known vulnerabilities · 2 critical · 7 high
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Hidden fields can be leaked on readable collections in Payload
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Parse Server has a protected fields bypass via logical query operators
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Ghost vulnerable to information disclosure of private API fields
Directus: Sensitive fields exposed in revision history
XSS in the `altField` option of the Datepicker widget in jquery-ui
Parse Server has a SQL injection via query field name when using PostgreSQL
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Parse Server session creation endpoint allows overwriting server-generated session fields
Bypass of field access control in strapi-plugin-protected-populate
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Directus `search` query parameter allows enumeration of non permitted fields
Malicious code in pp-amount-field (npm)
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
Strapi's field level permissions not being respected in relationship title
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
Leaking sensitive user information still possible by filtering on private with prefix fields
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
Malicious code in dropdownformfield (npm)
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Parse Server leaks protected fields via LiveQuery afterEvent trigger
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
Strapi leaking sensitive user information by filtering on private fields
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
Malicious code in @harrysforge/input-field (npm)
Malicious code in @nestor_hexom/garfield (npm)
Malicious code in garfield777 (npm)
Malicious code in p2p-amount-field (npm)
Malicious code in react-address-entry-field (npm)
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
Malicious code in garfield000 (npm)
Parse Server has a session field immutability bypass via falsy-value guard
Unauthorized Access to Private Fields in User Registration API
Parse Server has a protected fields bypass via dot-notation in query and sort
Malicious code in @nestor_hexom/garfield1 (npm)