CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-33508 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-33508 Source advisory: SNYK:JS-PARSESERVER-15757707...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-33508 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-33508 Source advisory: OSV:GHSA-6QH5-M6G3-XHQ6...