CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4 matches found

ATTACKERKB•added 2026/03/31 3:10 p.m.•1 views

CVE-2026-34595

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...

5.3CVSS5.8AI score0.00251EPSS

Exploits0References6Affected Software1

OSV•added 2026/03/27 7:14 a.m.•4 views

BIT-PARSE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

7.1CVSS5.8AI score0.00397EPSS

Exploits0References6

CVE•added 2026/03/24 6:14 p.m.•11 views

CVE-2026-33421

Parse Server’s LiveQuery WebSocket interface historically did not enforce Class-Level Permission pointer permissions (readUserFields and pointerFields) prior to versions 8.6.53 and 9.6.0-alpha.42. Any authenticated user could subscribe to LiveQuery events and receive real-time updates for objects...

7.1CVSS5.7AI score0.00397EPSS

Exploits0References5Affected Software1

CVE•added 2026/03/11 6:2 p.m.•12 views

CVE-2026-31872

CVE-2026-31872 affects Parse Server. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed via dot-notation in query WHERE clauses and sort parameters, enabling an attacker to query or sort by sub-fields of a protected field on MongoDB and PostgreSQL ...

8.7CVSS5.8AI score0.00367EPSS

Exploits0References3Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by