43 matches found
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...
CVE-2026-30938
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...
CVE-2026-33042
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
BIT-PARSE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of...
CVE-2026-33042
Parse Server (Node.js) is affected prior to versions 9.6.0-alpha.29 and 8.6.49 where a signup can be performed without credentials by submitting an empty authData object, bypassing the username/password requirement. The root cause is that empty or non-actionable authData is treated as present for...
CVE-2026-33042
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
GHSA-WJQW-R9X4-J59V Parse Server affected by empty authData bypassing credential requirement on signup
Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...
CVE-2026-31862
Cloud CLI aka Claude Code UI is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync with string interpolation of user-controlled parameters file, branch, message, commit, allowing authenticated attackers to...
CVE-2026-30938
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...
GHSA-Q342-9W2P-57FP Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...
EUVD-2022-7465
Malicious code in bioql PyPI...
EUVD-2022-7291
Malicious code in bioql PyPI...
CVE-2022-41879
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...
CVE-2022-41878
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...
GHSA-8XQ9-G7CH-35HG Parse Server's custom object ID allows to acquire role privileges
Impact If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. Patches Improved validation for custom user object IDs...
Parse Server's custom object ID allows to acquire role privileges
Impact If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. Patches Improved validation for custom user object IDs...
PT-2024-32465 · Unknown · Parse Server
Name of the Vulnerable Software and Affected Versions: Parse Server versions prior to 6.5.9 Parse Server versions prior to 7.3.0 Description: The issue arises when the Parse Server option allowCustomObjectId: true is set, allowing an attacker to create a new user with a custom object ID that...
BIT-PARSE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...
Information disclosure
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...