CWE hub

CWE-1289 vulnerabilities

This hub groups CVEs that NVD maps to CWE-1289, so you can review recent disclosures, common vendors, and related weakness patterns in one place.

RSS View CWE-1289 on MITRE

Definition mirrored from MITRE CWE (MITRE CWE 4.13). CVE list is sourced live from NVD.

Mapped CVEs

Records currently returned for this weakness id.

Top vendor

gitlab

1 mapped CVEs in the aggregate scan.

Weakness roll-up for CWE-1289

Showing 1-7 of 7 vulnerabilities.

CWE: CWE-1289

Sort current page

CVE-2026-41239MediumCVSS6.8Published Apr 23, 2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.8

MEDIUM

Published

Apr 23, 2026

CVE-2026-39972HighCVSS7.1Published Apr 9, 2026

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.1

HIGH

Published

Apr 9, 2026

CVE-2026-33729MediumCVSS5.8Published Mar 27, 2026

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.

Affected vendor

openfga

Affected product

openfga

Coverage

Single affected product entry

CVSS

5.8

MEDIUM

Published

Mar 27, 2026

CVE-2026-33496HighCVSS8.1Published Mar 26, 2026

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Ory Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers. Starting in version 26.2.0, Ory Oathkeeper includes the introspection server URL in the cache key, preventing confusion of tokens. Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.

Affected vendor

ory

Affected product

oathkeeper

Coverage

Single affected product entry

CVSS

8.1

HIGH

Published

Mar 26, 2026

CVE-2026-33515MediumCVSS6.9Published Mar 26, 2026

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem cannot be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Affected vendor

squid-cache

Affected product

squid

Coverage

Single affected product entry

CVSS

6.9

MEDIUM

Published

Mar 26, 2026

CVE-2026-27610HighCVSS7.0Published Feb 25, 2026

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. The fix in version 9.0.0-alpha.8 uses distinct cache keys for master key and read-only master key. As a workaround, avoid using function-typed master keys, or remove the `agent` configuration block from your dashboard configuration.

Affected vendor

parseplatform

Affected product

parse dashboard

Coverage

135 affected product entries

CVSS

7.0

HIGH

Published

Feb 25, 2026

CVE-2026-1094MediumCVSS4.6Published Feb 11, 2026

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.

Affected vendor

gitlab

Affected product

gitlab

Coverage

2 affected product entries

CVSS

4.6

MEDIUM

Published

Feb 11, 2026