Common Weakness Enumeration

CWE-683

Allowed

Function Call With Incorrect Order of Arguments

Abstraction: Variant · Status: Draft

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

9 vulnerabilities reference this CWE, most recent first.

CVE-2026-32269 (GCVE-0-2026-32269)

Vulnerability from cvelistv5 – Published: 2026-03-12 19:43 – Updated: 2026-03-13 16:11
VLAI
Title
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-683 - Function Call With Incorrect Order of Arguments
Assigner
Impacted products
Vendor Product Version
parse-community parse-server Affected: >= 9.0.0, < 9.6.0-alpha.13
Affected: >= 8.0.2, < 8.6.39
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32269",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T16:11:12.313618Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T16:11:21.212Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parse-server",
          "vendor": "parse-community",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.6.0-alpha.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.2, \u003c 8.6.39"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user\u0027s actual access token. Depending on the introspection endpoint\u0027s behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-683",
              "description": "CWE-683: Function Call With Incorrect Order of Arguments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T19:43:23.632Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"
        },
        {
          "name": "https://github.com/parse-community/parse-server/releases/tag/8.6.39",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"
        },
        {
          "name": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"
        }
      ],
      "source": {
        "advisory": "GHSA-69xg-f649-w5g2",
        "discovery": "UNKNOWN"
      },
      "title": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32269",
    "datePublished": "2026-03-12T19:43:23.632Z",
    "dateReserved": "2026-03-11T15:05:48.398Z",
    "dateUpdated": "2026-03-13T16:11:21.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24846 (GCVE-0-2026-24846)

Vulnerability from cvelistv5 – Published: 2026-01-29 21:12 – Updated: 2026-01-29 21:37
VLAI
Title
malcontent's archive extraction could write outside extraction directory
Summary
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-683 - Function Call With Incorrect Order of Arguments
Assigner
Impacted products
Vendor Product Version
chainguard-dev malcontent Affected: >= 1.8.0, < 1.20.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T21:35:11.721178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T21:37:29.730Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "malcontent",
          "vendor": "chainguard-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.8.0, \u003c 1.20.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-683",
              "description": "CWE-683: Function Call With Incorrect Order of Arguments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-29T21:12:18.991Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh"
        },
        {
          "name": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96"
        },
        {
          "name": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017"
        }
      ],
      "source": {
        "advisory": "GHSA-923j-vrcg-hxwh",
        "discovery": "UNKNOWN"
      },
      "title": "malcontent\u0027s archive extraction could write outside extraction directory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24846",
    "datePublished": "2026-01-29T21:12:18.991Z",
    "dateReserved": "2026-01-27T14:51:03.059Z",
    "dateUpdated": "2026-01-29T21:37:29.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47278 (GCVE-0-2025-47278)

Vulnerability from cvelistv5 – Published: 2025-05-13 15:57 – Updated: 2025-05-13 20:14
VLAI
Title
Flask uses fallback key instead of current signing key
Summary
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-683 - Function Call With Incorrect Order of Arguments
Assigner
Impacted products
Vendor Product Version
pallets flask Affected: = 3.1.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47278",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T20:13:56.371838Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T20:14:09.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flask",
          "vendor": "pallets",
          "versions": [
            {
              "status": "affected",
              "version": "= 3.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first. Sites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` care likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss. Version 3.1.1 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-683",
              "description": "CWE-683: Function Call With Incorrect Order of Arguments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T15:57:40.409Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g"
        },
        {
          "name": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09"
        },
        {
          "name": "https://github.com/pallets/flask/releases/tag/3.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pallets/flask/releases/tag/3.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-4grg-w6v8-c28g",
        "discovery": "UNKNOWN"
      },
      "title": "Flask uses fallback key instead of current signing key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47278",
    "datePublished": "2025-05-13T15:57:40.409Z",
    "dateReserved": "2025-05-05T16:53:10.373Z",
    "dateUpdated": "2025-05-13T20:14:09.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-32059 (GCVE-0-2023-32059)

Vulnerability from cvelistv5 – Published: 2023-05-11 21:01 – Updated: 2025-01-24 15:54
VLAI
Title
Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
Summary
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
vyperlang vyper Affected: < 0.3.8
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:03:28.987Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-32059",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T15:51:03.268758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-24T15:54:40.006Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.3.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-683",
              "description": "CWE-683: Function Call With Incorrect Order of Arguments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-11T21:01:11.456Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
        },
        {
          "name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
        }
      ],
      "source": {
        "advisory": "GHSA-ph9x-4vc9-m39g",
        "discovery": "UNKNOWN"
      },
      "title": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32059",
    "datePublished": "2023-05-11T21:01:11.456Z",
    "dateReserved": "2023-05-01T16:47:35.313Z",
    "dateUpdated": "2025-01-24T15:54:40.006Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-4GRG-W6V8-C28G

Vulnerability from github – Published: 2025-05-13 20:25 – Updated: 2025-05-13 20:25
VLAI
Summary
Flask uses fallback key instead of current signing key
Details

In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.

Signing is provided by the itsdangerous library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.

Sites that have opted-in to use key rotation by setting SECRET_KEY_FALLBACKS are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.1.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:25:26Z",
    "nvd_published_at": "2025-05-13T16:15:32Z",
    "severity": "LOW"
  },
  "details": "In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.\n\nSigning is provided by the `itsdangerous` library. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.\n\nSites that have opted-in to use key rotation by setting `SECRET_KEY_FALLBACKS` are likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.",
  "id": "GHSA-4grg-w6v8-c28g",
  "modified": "2025-05-13T20:25:26Z",
  "published": "2025-05-13T20:25:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/security/advisories/GHSA-4grg-w6v8-c28g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pallets/flask"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/releases/tag/3.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flask uses fallback key instead of current signing key"
}

GHSA-69XG-F649-W5G2

Vulnerability from github – Published: 2026-03-13 20:02 – Updated: 2026-03-13 20:02
VLAI
Summary
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Details

Impact

The OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.

Deployments using the OAuth2 adapter with appidField and appIds configured are affected.

Patches

The fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.

Workarounds

There is no known workaround.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2
  • Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13
  • Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.6.0-alpha.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.2"
            },
            {
              "fixed": "8.6.39"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:02:25Z",
    "nvd_published_at": "2026-03-12T20:16:06Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user\u0027s actual access token. Depending on the introspection endpoint\u0027s behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.\n\nDeployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.\n\n### Patches\n\nThe fix corrects the parameter alignment in the OAuth2 adapter\u0027s app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2\n- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13\n- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39",
  "id": "GHSA-69xg-f649-w5g2",
  "modified": "2026-03-13T20:02:25Z",
  "published": "2026-03-13T20:02:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint"
}

GHSA-923J-VRCG-HXWH

Vulnerability from github – Published: 2026-01-29 22:05 – Updated: 2026-01-31 03:33
VLAI
Summary
malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
Details

malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The handleSymlink function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.

Fixes: - Swap handleSymlink arguments; validate symlink location - Validate symlink targets resolve within extraction directory

Acknowledgements

Thank you to Oleh Konko from 1seal for discovering and reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/chainguard-dev/malcontent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.20.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T22:05:15Z",
    "nvd_published_at": "2026-01-29T22:15:54Z",
    "severity": "MODERATE"
  },
  "details": "malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.\n\n**Fixes:**\n- [Swap handleSymlink arguments; validate symlink location](https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017)\n- [Validate symlink targets resolve within extraction directory](https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96)\n\n**Acknowledgements**\n\nThank you to Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
  "id": "GHSA-923j-vrcg-hxwh",
  "modified": "2026-01-31T03:33:39Z",
  "published": "2026-01-29T22:05:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/malcontent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction"
}

GHSA-PH9X-4VC9-M39G

Vulnerability from github – Published: 2023-05-12 20:21 – Updated: 2024-11-19 16:33
VLAI
Summary
Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
Details

Impact

Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. In the bar() function in the following code, self.foo(13) is compiled to self.foo(13,12) instead of self.foo(13,1337).

@internal
def foo(a:uint256 = 12, b:uint256 = 1337):
    pass

@internal
def bar():
    self.foo(13)

note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.

Patches

patched in c3e68c302aa6e1429946473769dd1232145822ac

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:21:00Z",
    "nvd_published_at": "2023-05-11T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nInternal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments\nprovided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,\ntypechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to\n`self.foo(13,12)` instead of `self.foo(13,1337)`.\n\n```vyper\n@internal\ndef foo(a:uint256 = 12, b:uint256 = 1337):\n    pass\n\n@internal\ndef bar():\n    self.foo(13)\n```\n\nnote that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.\n\n### Patches\npatched in c3e68c302aa6e1429946473769dd1232145822ac\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-ph9x-4vc9-m39g",
  "modified": "2024-11-19T16:33:02Z",
  "published": "2023-05-12T20:21:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}

GHSA-X748-G8VM-GMHW

Vulnerability from github – Published: 2023-11-06 21:31 – Updated: 2023-11-14 18:30
VLAI
Details

The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-683",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission.",
  "id": "GHSA-x748-g8vm-gmhw",
  "modified": "2023-11-14T18:30:23Z",
  "published": "2023-11-06T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5352"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/d32b2136-d923-4f36-bd76-af4578deb23b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Use the function, procedure, or routine as specified.

No CAPEC attack patterns related to this CWE.