CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

132 matches found

Positive Technologies•added 2026/03/31 12:0 a.m.•0 views

PT-2026-29279

Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numer...

5.3CVSS5.8AI score0.00035EPSS

Exploits0References11

OSV•added 2026/03/30 5:40 p.m.•1 views

GHSA-M983-V2FF-WQ65 LiveQuery protected field leak via shared mutable state across concurrent subscribers

Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent...

8.2CVSS6AI score0.00023EPSS

Exploits0References7

Github Security Blog•added 2026/03/30 5:40 p.m.•3 views

LiveQuery protected field leak via shared mutable state across concurrent subscribers

8.2CVSS6AI score0.00023EPSS

Exploits0References7Affected Software1

Snyk•added 2026/03/30 5:40 p.m.•1 views

Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition in the handling of concurrent LiveQuery subscribers due to shared mutable state. An attacker can access...

8.2CVSS5.9AI score0.00023EPSS

Exploits0References2

Positive Technologies•added 2026/03/30 12:0 a.m.•1 views

PT-2026-29165

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.65 Parse Server versions prior to 9.7.0-alpha.9 Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where sensitive data can leak to unauthorized...

8.2CVSS5.9AI score0.00023EPSS

Exploits0References13

OSV•added 2026/03/27 7:14 a.m.•1 views

BIT-PARSE-2026-33508 Parse Server: LiveQuery subscription query depth bypass

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. A...

8.2CVSS5.8AI score0.00065EPSS

Exploits0References6

OSV•added 2026/03/27 7:14 a.m.•0 views

BIT-PARSE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event...

6.3CVSS5.8AI score0.00015EPSS

Exploits0References6

OSV•added 2026/03/27 7:14 a.m.•3 views

BIT-PARSE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

7.1CVSS5.8AI score0.00012EPSS

Exploits0References6

RedhatCVE•added 2026/03/26 3:11 p.m.•1 views

CVE-2026-32770

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...

7.5CVSS5.8AI score0.00042EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:10 p.m.•1 views

CVE-2026-32098

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause th...

7.5CVSS5.8AI score0.00052EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:9 p.m.•0 views

CVE-2026-33429

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped...

6.3CVSS5.7AI score0.00015EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:1 p.m.•2 views

CVE-2026-33421

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

7.1CVSS5.7AI score0.00012EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:1 p.m.•0 views

CVE-2026-33508

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription...

8.2CVSS5.7AI score0.00065EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:0 p.m.•2 views

CVE-2026-33163

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...

8.2CVSS5.8AI score0.00038EPSS

Exploits0References1