Lucene search
+L

1661 matches found

nvd
nvd
added 6 days ago6 views

CVE-2026-61448

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS0.00245EPSS
Exploits0References2
cve
cve
added 6 days ago16 views

CVE-2026-61448

Parse Server is affected by a stored XSS in versions 9.0.0–9.9.9 (excluding 9.10.0-alpha.2) and 8.6.0x up to 8.6.83. When a file with an unrecognized extension is uploaded, the client-supplied Content-Type is kept. A malformed Content-Type (not valid type/subtype) can bypass fileUpload.fileExtens...

2.1CVSS6AI score0.00245EPSS
Exploits0References2
cvelist
cvelist
added 6 days ago34 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS0.00245EPSS
Exploits0References2
vulnrichment
vulnrichment
added 6 days ago5 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score0.00245EPSS
Exploits0References2
osv
osv
added 6 days ago5 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score0.00245EPSS
Exploits0References4
ptsecurity
ptsecurity
added 6 days ago9 views

PT-2026-57441

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x through 8.6.83 Description A stored cross-site scripting XSS issue exists when the software fails to recognize an uploaded file's extension via the mime package,...

2.1CVSS6AI score0.00245EPSS
Exploits0References8
nvd
nvd
added 2026/07/08 9:16 p.m.7 views

CVE-2026-57481

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS0.00386EPSS
Exploits0References7
nvd
nvd
added 2026/07/08 9:16 p.m.7 views

CVE-2026-55778

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS0.00406EPSS
Exploits0References7
nvd
nvd
added 2026/07/08 9:16 p.m.8 views

CVE-2026-57480

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the...

8.7CVSS0.00335EPSS
Exploits0References7
cve
cve
added 2026/07/08 8:54 p.m.8 views

CVE-2026-57481

Parse Server LiveQuery vulnerability: a subscriber could receive object field values the reader is not authorized to read when a single save changed both the object field and the subscriber’s ACL read access, due to leave/enter events using the wrong object state. Affected versions before 9.9.1-a...

2.3CVSS6AI score0.00386EPSS
Exploits0References7
osv
osv
added 2026/07/08 8:54 p.m.2 views

CVE-2026-57481 Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS6.1AI score0.00386EPSS
Exploits0References9
cvelist
cvelist
added 2026/07/08 8:54 p.m.37 views

CVE-2026-57481 Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS0.00386EPSS
Exploits0References7
cvelist
cvelist
added 2026/07/08 8:53 p.m.33 views

CVE-2026-57480 Parse Server: Denial of service via exponential-time processing of deeply nested query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the...

8.7CVSS0.00335EPSS
Exploits0References7
cve
cve
added 2026/07/08 8:53 p.m.11 views

CVE-2026-57480

Parse Server is affected by a denial-of-service issue where deeply nested $or, $and, and $nor query operators in REST API or LiveQuery handling can cause exponential-time processing that blocks the Node.js event loop. The vulnerability affects prior releases and is fixed in versions 9.9.1-alpha.1...

8.7CVSS5.9AI score0.00335EPSS
Exploits0References7
osv
osv
added 2026/07/08 8:53 p.m.4 views

CVE-2026-57480 Parse Server: Denial of service via exponential-time processing of deeply nested query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the...

8.7CVSS6.1AI score0.00335EPSS
Exploits0References9
cve
cve
added 2026/07/08 8:50 p.m.25 views

CVE-2026-55778

Parse Server is affected by a stored XSS vulnerability where the default fileUpload.fileExtensions blocklist can be bypassed using non-standard or compound extensions paired with a dangerous Content-Type. This enables attacker-supplied content to be served by storage adapters (e.g., S3, GCS) and ...

2.1CVSS5.6AI score0.00406EPSS
Exploits0References7
osv
osv
added 2026/07/08 8:50 p.m.2 views

CVE-2026-55778 Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS5.8AI score0.00406EPSS
Exploits0References9
cvelist
cvelist
added 2026/07/08 8:50 p.m.33 views

CVE-2026-55778 Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS0.00406EPSS
Exploits0References7
euvd
euvd
added 2026/06/26 12:32 a.m.10 views

EUVD-2021-34852

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and...

7.7CVSS6AI score0.0012EPSS
Exploits0References3
euvd
euvd
added 2026/06/26 12:32 a.m.5 views

EUVD-2021-34853

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it define...

7.7CVSS5.9AI score0.0012EPSS
Exploits0References3
Rows per page
Query Builder