CWE-683
AllowedFunction Call With Incorrect Order of Arguments
Abstraction: Variant · Status: Draft
The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
9 vulnerabilities reference this CWE, most recent first.
CVE-2026-32269 (GCVE-0-2026-32269)
Vulnerability from cvelistv5 – Published: 2026-03-12 19:43 – Updated: 2026-03-13 16:11- CWE-683 - Function Call With Incorrect Order of Arguments
| URL | Tags |
|---|---|
| https://github.com/parse-community/parse-server/s… | x_refsource_CONFIRM |
| https://github.com/parse-community/parse-server/r… | x_refsource_MISC |
| https://github.com/parse-community/parse-server/r… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 9.0.0, < 9.6.0-alpha.13
Affected: >= 8.0.2, < 8.6.39 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:11:12.313618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:11:21.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.6.0-alpha.13"
},
{
"status": "affected",
"version": "\u003e= 8.0.2, \u003c 8.6.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user\u0027s actual access token. Depending on the introspection endpoint\u0027s behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-683",
"description": "CWE-683: Function Call With Incorrect Order of Arguments",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:43:23.632Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"
}
],
"source": {
"advisory": "GHSA-69xg-f649-w5g2",
"discovery": "UNKNOWN"
},
"title": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32269",
"datePublished": "2026-03-12T19:43:23.632Z",
"dateReserved": "2026-03-11T15:05:48.398Z",
"dateUpdated": "2026-03-13T16:11:21.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24846 (GCVE-0-2026-24846)
Vulnerability from cvelistv5 – Published: 2026-01-29 21:12 – Updated: 2026-01-29 21:37| URL | Tags |
|---|---|
| https://github.com/chainguard-dev/malcontent/secu… | x_refsource_CONFIRM |
| https://github.com/chainguard-dev/malcontent/comm… | x_refsource_MISC |
| https://github.com/chainguard-dev/malcontent/comm… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| chainguard-dev | malcontent |
Affected:
>= 1.8.0, < 1.20.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T21:35:11.721178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:37:29.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "malcontent",
"vendor": "chainguard-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.20.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-683",
"description": "CWE-683: Function Call With Incorrect Order of Arguments",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:12:18.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh"
},
{
"name": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96"
},
{
"name": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017"
}
],
"source": {
"advisory": "GHSA-923j-vrcg-hxwh",
"discovery": "UNKNOWN"
},
"title": "malcontent\u0027s archive extraction could write outside extraction directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24846",
"datePublished": "2026-01-29T21:12:18.991Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-29T21:37:29.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47278 (GCVE-0-2025-47278)
Vulnerability from cvelistv5 – Published: 2025-05-13 15:57 – Updated: 2025-05-13 20:14- CWE-683 - Function Call With Incorrect Order of Arguments
| URL | Tags |
|---|---|
| https://github.com/pallets/flask/security/advisor… | x_refsource_CONFIRM |
| https://github.com/pallets/flask/commit/73d650406… | x_refsource_MISC |
| https://github.com/pallets/flask/releases/tag/3.1.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T20:13:56.371838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T20:14:09.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flask",
"vendor": "pallets",
"versions": [
{
"status": "affected",
"version": "= 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-683",
"description": "CWE-683: Function Call With Incorrect Order of Arguments",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:57:40.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g"
},
{
"name": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09"
},
{
"name": "https://github.com/pallets/flask/releases/tag/3.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/3.1.1"
}
],
"source": {
"advisory": "GHSA-4grg-w6v8-c28g",
"discovery": "UNKNOWN"
},
"title": "Flask uses fallback key instead of current signing key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47278",
"datePublished": "2025-05-13T15:57:40.409Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-13T20:14:09.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32059 (GCVE-0-2023-32059)
Vulnerability from cvelistv5 – Published: 2023-05-11 21:01 – Updated: 2025-01-24 15:54- CWE-683 - Function Call With Incorrect Order of Arguments
- CWE-noinfo Not enough information
| URL | Tags |
|---|---|
| https://github.com/vyperlang/vyper/security/advis… | x_refsource_CONFIRM |
| https://github.com/vyperlang/vyper/commit/c3e68c3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
},
{
"name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T15:51:03.268758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T15:54:40.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vyper",
"vendor": "vyperlang",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-683",
"description": "CWE-683: Function Call With Incorrect Order of Arguments",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T21:01:11.456Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
},
{
"name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
}
],
"source": {
"advisory": "GHSA-ph9x-4vc9-m39g",
"discovery": "UNKNOWN"
},
"title": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32059",
"datePublished": "2023-05-11T21:01:11.456Z",
"dateReserved": "2023-05-01T16:47:35.313Z",
"dateUpdated": "2025-01-24T15:54:40.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-4GRG-W6V8-C28G
Vulnerability from github – Published: 2025-05-13 20:25 – Updated: 2025-05-13 20:25In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.
Signing is provided by the itsdangerous library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.
Sites that have opted-in to use key rotation by setting SECRET_KEY_FALLBACKS are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flask"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.1.0"
]
}
],
"aliases": [
"CVE-2025-47278"
],
"database_specific": {
"cwe_ids": [
"CWE-683"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-13T20:25:26Z",
"nvd_published_at": "2025-05-13T16:15:32Z",
"severity": "LOW"
},
"details": "In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.\n\nSigning is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.\n\nSites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.",
"id": "GHSA-4grg-w6v8-c28g",
"modified": "2025-05-13T20:25:26Z",
"published": "2025-05-13T20:25:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47278"
},
{
"type": "WEB",
"url": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09"
},
{
"type": "PACKAGE",
"url": "https://github.com/pallets/flask"
},
{
"type": "WEB",
"url": "https://github.com/pallets/flask/releases/tag/3.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Flask uses fallback key instead of current signing key"
}
GHSA-69XG-F649-W5G2
Vulnerability from github – Published: 2026-03-13 20:02 – Updated: 2026-03-13 20:02Impact
The OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.
Deployments using the OAuth2 adapter with appidField and appIds configured are affected.
Patches
The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.
Workarounds
There is no known workaround.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.2"
},
{
"fixed": "8.6.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32269"
],
"database_specific": {
"cwe_ids": [
"CWE-683"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:02:25Z",
"nvd_published_at": "2026-03-12T20:16:06Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user\u0027s actual access token. Depending on the introspection endpoint\u0027s behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.\n\nDeployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.\n\n### Patches\n\nThe fix corrects the parameter alignment in the OAuth2 adapter\u0027s app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2\n- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13\n- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39",
"id": "GHSA-69xg-f649-w5g2",
"modified": "2026-03-13T20:02:25Z",
"published": "2026-03-13T20:02:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint"
}
GHSA-923J-VRCG-HXWH
Vulnerability from github – Published: 2026-01-29 22:05 – Updated: 2026-01-31 03:33malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The handleSymlink function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.
Fixes: - Swap handleSymlink arguments; validate symlink location - Validate symlink targets resolve within extraction directory
Acknowledgements
Thank you to Oleh Konko from 1seal for discovering and reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/chainguard-dev/malcontent"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.20.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24846"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-683"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-29T22:05:15Z",
"nvd_published_at": "2026-01-29T22:15:54Z",
"severity": "MODERATE"
},
"details": "malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.\n\n**Fixes:**\n- [Swap handleSymlink arguments; validate symlink location](https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017)\n- [Validate symlink targets resolve within extraction directory](https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96)\n\n**Acknowledgements**\n\nThank you to Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
"id": "GHSA-923j-vrcg-hxwh",
"modified": "2026-01-31T03:33:39Z",
"published": "2026-01-29T22:05:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24846"
},
{
"type": "WEB",
"url": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96"
},
{
"type": "WEB",
"url": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017"
},
{
"type": "PACKAGE",
"url": "https://github.com/chainguard-dev/malcontent"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction"
}
GHSA-PH9X-4VC9-M39G
Vulnerability from github – Published: 2023-05-12 20:21 – Updated: 2024-11-19 16:33Impact
Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments
provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,
typechecking is bypassed. In the bar() function in the following code, self.foo(13) is compiled to
self.foo(13,12) instead of self.foo(13,1337).
@internal
def foo(a:uint256 = 12, b:uint256 = 1337):
pass
@internal
def bar():
self.foo(13)
note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.
Patches
patched in c3e68c302aa6e1429946473769dd1232145822ac
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32059"
],
"database_specific": {
"cwe_ids": [
"CWE-683"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-12T20:21:00Z",
"nvd_published_at": "2023-05-11T22:15:11Z",
"severity": "HIGH"
},
"details": "### Impact\n\nInternal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments\nprovided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,\ntypechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to\n`self.foo(13,12)` instead of `self.foo(13,1337)`.\n\n```vyper\n@internal\ndef foo(a:uint256 = 12, b:uint256 = 1337):\n pass\n\n@internal\ndef bar():\n self.foo(13)\n```\n\nnote that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.\n\n### Patches\npatched in c3e68c302aa6e1429946473769dd1232145822ac\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-ph9x-4vc9-m39g",
"modified": "2024-11-19T16:33:02Z",
"published": "2023-05-12T20:21:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}
GHSA-X748-G8VM-GMHW
Vulnerability from github – Published: 2023-11-06 21:31 – Updated: 2023-11-14 18:30The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission.
{
"affected": [],
"aliases": [
"CVE-2023-5352"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-683",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T21:15:09Z",
"severity": "MODERATE"
},
"details": "The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission.",
"id": "GHSA-x748-g8vm-gmhw",
"modified": "2023-11-14T18:30:23Z",
"published": "2023-11-06T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5352"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/d32b2136-d923-4f36-bd76-af4578deb23b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use the function, procedure, or routine as specified.
No CAPEC attack patterns related to this CWE.