1612 matches found
EUVD-2026-36542
parse-server: Relation $relatedTo query bypasses protectedFields and owning-object ACL...
EUVD-2026-36540
parse-server: Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when User get is denied...
EUVD-2026-36539
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist...
BIT-PARSE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by...
BIT-PARSE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPasswo...
BIT-PARSE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg...
BIT-PARSE-2026-50008 Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express...
CVE-2026-53726
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...
CVE-2026-53724
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...
CVE-2026-53725
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and...
CVE-2026-50008
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as...
CVE-2026-47138
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...
CVE-2026-47248
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL...
CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...
CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...
CVE-2026-53726
Parse Server contains a vulnerability in the relation query operator $relatedTo. Before versions 8.6.80 and 9.9.1-alpha.6, an unauthenticated client with public API credentials could read membership of a Relation field protected by protectedFields or object ACLs, potentially enumerating objects l...
CVE-2026-53725
Parse Server up to version 9.9.1-alpha.5 contains a vulnerability in MFA handling: when _User get is denied by Class-Level Permissions, the /login and /verifyPassword endpoints may bypass CLP/protectedFields sanitization and return raw database rows, exposing MFA data (MFA TOTP secrets and recove...
CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and...
CVE-2026-53725 Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the User class via Class-Level Permissions could expose sensitive user data through the /login and...
CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...