serve

Information Exposure on Case Insensitive File Systems in serve

Directory Traversal in serve

Directory Traversal in serve

vercel/serve allows access to restricted files if filename is URL encoded.

Unexpected server crash in Next.js.

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

Directory Traversal in serverwg

Opening a malicious website while running a Nuxt dev server could allow read-only access to code

OpenClaw's andbox browser noVNC observer lacked VNC authentication

a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function

Malicious code in @seezo/sdr-mcp-server (npm)

parse-server's session object properties can be updated by foreign user if object ID is known

Cross-Site Scripting in serve-index

Actual Sync Server has an Authenticated Path Traversal

Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Directory Traversal in serverliujiayi1

Directory Traversal in zjjserver

Miniflare vulnerable to Server-Side Request Forgery (SSRF)

Malicious code in mongodb-stitch-server-testutils (npm)

Malicious code in @protos-team/frontend-server (npm)

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Server crashes on invalid Cloud Function or Cloud Job name

Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function

matrix-js-sdk can be tricked into disclosing E2EE room keys to a participating homeserver

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Directory traversal in rollup-plugin-server

oauth2-server through 3.1.1 vulnerable to Open Redirect

webpack-dev-server users' source code may be stolen when they access a malicious web site

Server-Side Request Forgery in Directus

Information disclosure in parse-server

Parse Server has an auth provider validation bypass on login via partial authData

TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS

Malicious code in pgserve (npm)

Parse Server exposes the data schema via GraphQL API

Path traversal in rollup-plugin-serve

Astro's server source code is exposed to the public if sourcemaps are enabled

@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes

Directory Traversal in fancy-server

Parse Server has a protected fields bypass via logical query operators

Parse Server has a bypass of class-level permissions in LiveQuery

eBay API MCP Server Affected by Environment Variable Injection

Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

Server-Side Request Forgery in parse-url

static-dev-server vulnerable to path traversal

Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery

Directory traversal in rollup-plugin-server

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

statics-server Cross-site Scripting vulnerability

Directory Traversal in shit-server

OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

Astro development server error page is vulnerable to reflected Cross-site Scripting

Server-Side Request Forgery (SSRF) in vriteio/vrite

Parse Server crash via deeply nested query condition operators

MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting

Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Server-Side Request Forgery in axios

Websites were able to send any requests to the development server and read the response in vite

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Next.js has a Denial of Service with Server Components

easy-static-server vulnerable to Directory Traversal

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Server-side request forgery in Ghost CMS

Unexpected server crash in Next.js

Directory Traversal in enserver

Parse Server has a SQL injection via query field name when using PostgreSQL

SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

@hono/node-server cannot handle "double dots" in URL

OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching

Server-Side Request Forgery in private-ip

Parse Server's custom object ID allows to acquire role privileges

Parse Server vulnerable to user enumeration via email verification endpoint

Downloads Resources over HTTP in ntfserver

h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read

Inefficient Regular Expression Complexity in code-server

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Path Traversal in web-node-server

Parse Server may crash when uploading file without extension

Dark Reader gives users the ability to request style sheets from local web servers

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints

Parse Server's MFA recovery codes not consumed after use

MCP Server Kubernetes vulnerable to command injection in several tools

Prototype Pollution in litespeed.js and appwrite/server-ce

HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability

Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)

Cross-site Scripting (XSS) - Stored in crud-file-server

Path Traversal in angular-http-server

Directory Traversal in qinserve

Cross site scripting in code-server

Parse Server LiveQuery subscription with invalid regular expression crashes server

Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport

Directory Traversal in startserver

Malicious code in resize-observe (npm)

Malicious code in wise_lena_bot_server (npm)

Cross-Site Scripting in min-http-server

@lumieducation/h5p-server Fails to Sanitize Plain Text Strings

Malicious code in fxa-admin-server (npm)

Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability

React Server Components are Vulnerable to RCE

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Hidden Directories Always Served in inert

Parse Server session creation endpoint allows overwriting server-generated session fields

Directory Traversal in serverwzl

Directory Traversal in dcserver

Cross-Site Scripting in http-file-server

Cross-site Scripting in lightning-server

simplehttpserver allows directory traversal and file listing

MCPHub's ServerController is vulnerable to Command Injection

OpenClaw's runtime /debug override path accepted prototype-reserved keys

Parse Server has role escalation and CLP bypass via direct `_Join` table write

@grackle-ai/server has a Missing Secure Flag on Session Cookie

Directory Traversal in node-server-forfront

hubl-server downloads resources over HTTP

Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

Malicious code in dexter-server (npm)

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Directus vulnerable to Server-Side Request Forgery On File Import

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools

Directory Traversal in serve46

evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API

cors-anywhere vulnerable to server-side request forgery

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Malicious code in @hongfangze/simple-resource-server (npm)

h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Server-Side Request Forgery in Request

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Utils.readChallengeTx does not verify the server account signature

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

GitHub Kanban MCP Server vulnerable to Command Injection

Vite: `server.fs.deny` bypassed with queries

Parse Server LiveQuery subscription query depth bypass

@adonisjs/http-server has an Open Redirect vulnerability

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

mcp-remote exposed to OS command injection via untrusted MCP server connections

PostHog Plugin Server SQL Injection Vulnerability

@budibase/server: Command Injection in PostgreSQL Dump Command

Directory Traversal in calmquist.static-server

Malicious code in datadog-serverless-macro (npm)

SignalK Server has Path Traversal leading to information disclosure

Directory Traversal in jn_jj_server

Vite bypasses server.fs.deny when using ?raw??

Denial of Service Vulnerability in React Server Components

Malicious code in mitui-base-server (npm)

Directory Traversal in serverxxx

RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests

MCP NMAP Server has an Injection vulnerability

Next.js Allows a Denial of Service (DoS) with Server Actions

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Path Traversal in serve-here.js

@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server: MFA recovery code single-use bypass via concurrent requests

Markdownify MCP Server allows attackers to read arbitrary files

Parse Server before v3.4.1 vulnerable to Denial of Service

Code Injection in oauth2-server

Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin

xcode-mcp-server vulnerable to Command Injection

m-server Vulnerable to Directory Traversal

Parse Server has an OAuth login vulnerability

Vite's server.fs.deny bypassed with /. for files under project root

@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

Malicious code in breakout-chat-server (npm)

Vite has an `server.fs.deny` bypass with an invalid `request-target`

vite allows server.fs.deny bypass via backslash on Windows

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Malicious code in pingserver-test.01 (npm)

@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

@cyanheads/git-mcp-server vulnerable to command injection in several tools

Path Traversal in simplehttpserver

Malicious code in 47cliens_server (npm)

@hono/node-server: Middleware bypass via repeated slashes in serveStatic

Malicious code in fxa-profile-server (npm)

Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Sync-in Server has Username Enumeration via Timing Attack

Malicious code in scilla-server (npm)

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview

Parse Server missing audience validation in Keycloak authentication adapter

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Axios vulnerable to Server-Side Request Forgery

Parse Server stores password in plain text

Directory Traversal in static-html-server

Server-Side Request Forgery in @uppy/companion

express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

Malicious code in fas_elbridge_server (npm)

Malicious code in showcase-server (npm)

Malicious code in @xvideos/server (npm)

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Sync-in Server has a stored cross-site scripting (XSS) vulnerability

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection

Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Malicious code in serverless-provisioned-memory-report (npm)

Directory Traversal in quickserver

sqlserver is malware

Server-Side Request Forgery in FUXA

Directory Traversal in cypserver

Malicious code in @asyncapi/server-api (npm)

Path Traversal in statics-server

Directory Traversal in tinyserver2

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Storybook Dev Server is Vulnerable to WebSocket Hijacking

Malicious code in http-long-poll-server (npm)

React Router has CSRF issue in Action/Server Action Request Processing

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Open Redirect in serve-static

Invalid push request payload crashes Parse Server

Command injection in Parse Server through prototype pollution

Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host

Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server

Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format

Missing Origin Validation in webpack-dev-server

Malicious code in nfs-server-alpine (npm)

serve-static vulnerable to template injection that can lead to XSS

Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

Server-Side Request Forgery in @peertube/embed-api

parse-server auth adapter app ID validation can be circumvented

Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Cross-Site Scripting in http_server

Directory Traversal in serverhuwenhui

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

@vitejs/plugin-rsc has a Denial of Service with React Server Components

Directory Traversal in infraserver

evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Next.js Server-Side Request Forgery in Server Actions

Denial of Service vulnerability in lite-web-server

code-server vulnerable to Missing Origin Validation in WebSockets

mcp-server-kubernetes has potential security issue in exec_in_pod tool

React Server Components have multiple Denial of Service Vulnerabilities

Path Traversal in http-server-node

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Server-Side Request Forgery in node-pdf-generator

Directory Traversal in f2e-server

Malicious code in @relyt/mcp-server-relytone (npm)

Sensitive Data Exposure in parse-server

Source Code Exposure Vulnerability in React Server Components

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Malicious code in bfx-lib-server-js (npm)

Directory Traversal in hcbserver

OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay

Malicious code in ee-server-auth-nodejs (npm)

parse-server: Malformed `$regex` query leaks database error details in API response

Malicious code in okfe-serverless-conf (npm)

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Gatsby develop server has Local File Inclusion vulnerability

Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components

Vite Plugin React has a Denial of Service Vulnerability in React Server Components

Malicious code in @f5rest/odata-v4-server (npm)

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Malicious code in server-bare-log (npm)

Server-Side Request Forgery in link-preview-js

React Server Components are Vulnerable to RCE

Malicious code in preview-server-auth (npm)

Parse Server has a login timing side-channel reveals user existence

Vite middleware may serve files starting with the same name with the public directory

Malicious code in jobserver (npm)

Malicious code in @jd-org/clear-server (npm)

Signal K Server: Unauthenticated Source Priorities Manipulation

Server-Side Request Forgery in ftp-srv

Malicious code in gson-server (npm)

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend

parse-server crashes when receiving file download request with invalid byte range

Malicious code in flipper-server-companion (npm)

Malicious code in xnil-server (npm)

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Server-Side Request Forgery in phantomjs-seo

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Malicious code in nayan-apis-server (npm)

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Server-Side Request Forgery in kityminder

Malicious code in vue-dev-serverr (npm)

Parse Server: SQL injection via dot-notation field name in PostgreSQL

Directory Traversal in serveryztyzt

Malicious code in ui5-cap-event-app-server (npm)

Directory Traversal in uekw1511server

Server side request forgery in SwaggerUI

Seafile Server has multiple stored XSS vulnerabilities

Server side request forgery in @isomorphic-git/cors-proxy

Malicious code in truth-loop-server (npm)

Directory Traversal in mockserve

Signal K Server: Arbitrary Prototype Read via `from` Field Bypass

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

Path Traversal in crud-file-server

Parse Server has a password reset token single-use bypass via concurrent requests

Malicious code in @wxi-dev/serverless-tsc-config (npm)

Directory Traversal in myserver.alexcthomas18

Malicious code in react-server-dom-unbundled (npm)

Directory Traversal in sgqserve

Server-Side Request Forgery in ssrf-agent

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

Directory Traversal in liuyaserver

Malicious code in foxy.io-serverless-functions-on-netlify-demo (npm)

@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

lite-server vulnerable to Denial of Service

Directory Traversal in zwserver

Malicious code in picl-server (npm)

Directory Traversal in fsk-server

TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist

Parse Server exposes auth data via verify password endpoint

Directory Traversal in wffserve

Svelte vulnerable to XSS when using objects during server-side rendering

Parse Server exposes auth data via /users/me endpoint

Malicious code in lite-serper-mcp-server (npm)

pdfmake is vulnerable to server-side request forgery (SSRF)

Astro Development Server has Arbitrary Local File Read

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Malicious code in @confluence-classic/confluence-frontend-server (npm)

Parse Server leaks protected fields via LiveQuery afterEvent trigger

serverless MCP Server vulnerable to Command Injection in list-projects tool

Path traversal in servey

Path Traversal in general-file-server

Path Traversal in statichttpserver

Denial of Service Vulnerability in React Server Components

Astro vulnerable to reflected XSS via the server islands feature

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Malicious code in node-server-sdk (npm)

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)

Malicious code in @postman/postman-mcp-server (npm)

Cross-site scripting in TileServer GL

Agions taskflow-ai vulnerable to os command injection in src/mcp/server/handlers.ts

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Parse Server: Account takeover via operator injection in authentication data identifier

esbuild enables any website to send any requests to the development server and read the response

Directory Traversal in peiserver

Malicious code in paypal-sdk-server-side-integration (npm)

Malicious code in whatsapp-otp-sample-server (npm)

Malicious code in nodes-tree-visualizer-server (npm)

Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability

@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode

Malicious code in mz-server (npm)

Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network

Directory Traversal in serveryaozeyan

Parse Server email verification resend page leaks user existence

@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server

Malicious code in ids-enterprise-mcp-server (npm)

Next.js: null origin can bypass Server Actions CSRF checks

Strapi Server-Side Request Forgery (SSRF)

Cross-Site Scripting in m-server

Server-Side Request Forgery in @uppy/companion

Directory Traversal in mfrserver

code-server's session cookie can be extracted by having user visit specially crafted proxy URL

Malicious code in dapp-inter-agservers (npm)

Malicious code in dedicated-servers (npm)

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions

Vite's `server.fs` settings were not applied to HTML files

lite-dev-server vulnerable to Directory Traversal

Malicious code in @reserach_org_jfhalsdhfkslsfds/openai-server-skfghdg (npm)

Malicious code in replit-desktop-release-server (npm)

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Qwik vulnerable to Unauthenticated RCE via server$ Deserialization

Directory Traversal in iter-server

Path Traversal in simplehttpserver

Malicious code in ui-extensions-server-kit (npm)

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance

parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction

Malicious code in engage-digital-source-server-template-js (npm)

Malicious code in cors-typescript-server (npm)

Directory Traversal in tencent-server

Flowise Cors Misconfiguration in packages/server/src/index.ts

@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Malicious code in homeappserver (npm)

LiveQuery publishes user session tokens in parse-server

Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist

Directory Traversal in serverzyy

Hono: Middleware bypass via repeated slashes in serveStatic

awwaiid mcp-server-taskwarrior vulnerable to command injection

Malicious code in grenache-fib-server (npm)

Next Server Actions Source Code Exposure

Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication

@grackle-ai/server has Missing WebSocket Origin Header Validation

Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

Parser Server's streaming file download bypasses afterFind file trigger authorization

Stored Cross-Site Scripting in simplehttpserver

RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions

Malicious code in @gameforge/http-server (npm)

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Path Traversal in angular-http-server

Malicious code in @xvideos/server-inherited (npm)

Malicious code in ace_authorization_server (npm)

Directory Traversal in serverabc

Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Malicious code in defillama-apy-server (npm)

RCE in SiteServer CMS

Hono vulnerable to arbitrary file access via serveStatic vulnerability

Malicious code in agoric-servers (npm)

Path traversal in oak allows transfer of hidden files within the served root directory

Malicious code in mcp-server-fixthis (npm)

Malicious code in gxm-reference-web-auth-server (npm)

Malicious code in chain-reserve-wallet-adapter (npm)

Malicious code in nayan-apis-servers (npm)

Malicious code in driver-app-server (npm)

Malicious code in raise-http-server (npm)

Malicious code in apple-app-store-server-library-poc (npm)

CSRF vulnerability in save-server

Parse Server crashes with query parameter

Invalid file request can crash server

Malicious code in matlab-language-server (npm)

Malicious code in addons-server (npm)

Malicious code in vro-language-server (npm)

Malicious code in @rezserver/fetlife-assets (npm)

Malicious code in vscode-azure-mcp-server (npm)

Malicious code in @lanyer640/mcp-runcommand-server (npm)

Malicious code in @xvideos/auth-server (npm)

Malicious code in exodus-update-server (npm)

Malicious code in mattermost-metrics-server (npm)

Malicious code in react-server-dom-turbopack-experimental (npm)

Malicious code in node-config-server-utils (npm)

Malicious code in ing-kit-dev-server (npm)

Malicious code in @adminproxy/module-utils-server (npm)

Malicious code in notebooklanguageserver (npm)

Malicious code in inno-basic-server (npm)

Malicious code in grenache-nodejs-example-fib-server (npm)

Malicious code in grenache-nodejs-fib-server (npm)

Malicious code in serverless-action (npm)

Malicious code in jscs-server (npm)

Malicious code in upchieve-server (npm)

Malicious code in near-api-server (npm)

Malicious code in serverlog-dispatch (npm)

Directory Traversal in serverlyr

Malicious code in proof-of-reserves-adapter (npm)

Malicious code in operation-server-sdk (npm)

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Malicious code in mcp-server-everything (npm)

Parse Server: File upload Content-Type override via extension mismatch

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Malicious code in pagespeed-server (npm)

Malicious code in @xvideos/server-base (npm)

Malicious code in paypay-sample-ecommerce-server (npm)

Malicious code in webpack-dev-server.legacy (npm)

Malicious code in usaa-mock-server (npm)

Malicious code in adroit-websdk-server (npm)

Malicious code in webhooks-resources-nodejs-server (npm)

parse-server new anonymous user session acts as if it's created with password

Malicious code in cua-primitives-server (npm)

Malicious code in strapi-plugin-server (npm)

Malicious code in prompt-eng-server (npm)

Malicious code in react-server-dom-vite (npm)

Malicious code in nayan-server (npm)

Malicious code in nayan-api-server (npm)

Malicious code in discord-bot-server (npm)

Malicious code in @posthog/web-dev-server (npm)

Malicious code in @posthog/plugin-server (npm)

Malicious code in @browserbasehq/mcp-server-browserbase (npm)

Malicious code in samples-cors-typescript-server (npm)

Malicious code in paypal-scripts-server-utils (npm)

Malicious code in seal_online_node_server (npm)

Malicious code in klook-tetris-server (npm)

Malicious code in server_qa_automation (npm)

Malicious code in serverbeat (npm)

Malicious code in serverjsdefine (npm)

Malicious code in serverless-api-partners (npm)

Malicious code in serverless-infrastructure (npm)

Malicious code in serverless-push-hasura (npm)

Malicious code in serverless-yandex-cloud-template (npm)

Malicious code in @ensdomains/server-analytics (npm)

Malicious code in sifchain-changes-server (npm)

Malicious code in skywriter_server (npm)

Malicious code in myfirstdependencywithserver (npm)

Path Traversal in http-file-server

Malicious code in media-server-embed (npm)

engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection

Malicious code in @xvideos/facade-server (npm)

React Server Components have a Denial of Service Vulnerability

jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

Malicious code in paypal-server-sdk (npm)

Parse Server has a rate limit bypass via batch request endpoint

Malicious code in serve-static-corell (npm)

Malicious code in onboarding-server (npm)

Arbitrary remote file read in Wrangler dev server

Malicious code in www-server (npm)

Parse Server has a session field immutability bypass via falsy-value guard

Incorrect Authorization in serverless-offline

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Next Vulnerable to Denial of Service with Server Components

CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

Malicious code in gatsby-mars-pet-parent-journey--server (npm)

Malicious code in unms-server (npm)

Directory Traversal in badjs-sourcemap-server

Parse Server has a protected fields bypass via dot-notation in query and sort

Signal K Server Vulnerable to Access Request Spoofing

parse-server has cloud function validator bypass via prototype chain traversal

Malicious code in webhooks-server (npm)

Malicious code in apple-appstore-server-library (npm)

Malicious code in https-servers (npm)

Malicious code in webpack-dev-serve-middleware (npm)

Malicious code in console-webapp-static-server (npm)

Malicious code in mcp-server-todo (npm)

Malicious code in falcor-server (npm)

Malicious code in pay-by-bank-dashboard-server (npm)

Malicious code in snapshot-server (npm)

Malicious code in react-server-dom-webpack-experimental (npm)

Malicious code in @actbase/node-server (npm)

Malicious code in kyxserver-everything (npm)

Malicious code in server-fpti (npm)

Malicious code in @voiceflow/serverless-plugin-typescript (npm)

Malicious code in server-log-engine (npm)

Malicious code in server-tiny-log (npm)

Malicious code in react-server-dom-fb (npm)

Malicious code in inspector-server (npm)

Malicious code in npe-toolkit-server-deps (npm)

Malicious code in demo-mercadopago-mcp-server (npm)