CVE-2026-30941
Parse Server exposes a NoSQL injection in token handling for password reset and email verification endpoints on deployments using MongoDB. Prior to versions 8.6.14 and 9.5.2-alpha.1, the token field is passed to database queries without type validation, enabling unauthenticated attackers to injec...