EUVD-2026-34164

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the Workflow, Form block, and File/Set components that lack the allowedclasses restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been...

CVE-2026-30962

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-31800

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

CVE-2026-2414

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2...

CVE-2026-2414

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2...

CVE-2026-2414

CVE-2026-2414 describes an authorization bypass vulnerability in HYPR Server via a user-controlled key, enabling privilege escalation. Affected versions are HYPR Server 9.5.2 prior to 10.7.2; remediation is to upgrade to 10.7.2 or later. The issue’s concrete impact and exploit specifics are not p...

CVE-2026-2414

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2...

PT-2026-28068

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2...

BIT-PARSE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing...

BIT-PARSE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.16, class-level permissions CLP are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and...

Missing Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization via the generic /classes/GraphQLConfig and /classes/Audience REST API routes, which do not enforce...

EUVD-2026-10889

Parse Server: Classes GraphQLConfig and Audience master key bypass via generic class routes...

Insufficiently Protected Credentials

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the OAuth2 authentication process when the useridField option is not set. An attacke...

EUVD-2026-10866

Parse Server vulnerable to stored cross-site scripting XSS via SVG file upload...

CVE-2026-30962

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-31800

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

CVE-2026-30972

Parse Server is vulnerable due to the batch endpoint (/batch) bypassing Express middleware, including rate limiting, allowing a single request to bundle multiple sub-requests targeting rate-limited endpoints. This affects deployments that rely on the built-in rate limiting feature prior to versio...

CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

CVE-2026-30972

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...