132 matches found
BIT-PARSE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a...
BIT-PARSE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The...
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...
CVE-2026-34363
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
EUVD-2026-17504
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value...
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Impact An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property an "array-like" obje...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the LiveQuery subscription process when an authenticated use...
GHSA-MMG8-87C5-JRC2 Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Impact An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property an "array-like" obje...
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...
CVE-2026-34363
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...
CVE-2026-34595
CVE-2026-34595 affects Parse Server LiveQuery: an authenticated user with find class-level permission can bypass the protectedFields guard by submitting a subscription using an array-like object for $or/$and/$nor instead of a real array. This bypass allows the subscription firing to act as a bina...
CVE-2026-34595
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...
CVE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By...
CVE-2026-34363
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
CVE-2026-34363
The CVE entry maps to a Parse Server LiveQuery vulnerability (prote cted fields/afterEvent triggers) where multiple subscribers sharing a class could see leaked or incomplete data due to in-place edits of shared mutable objects by the sensitive data filter. The root cause is shared mutable state ...
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
PT-2026-29338
🔴 Parse Server, LiveQuery Race Condition, CVE-2024-39333 Critical https://t.co/upurtK5zG4...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.70 and 9.7.0-alpha.18. These vulnerabilities stemmed from the possibility for...