CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

CVE-2026-34573

Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...

CVE-2026-34573

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

CVE-2026-34373

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

CVE-2026-34373

The connected GitHub advisory GHSA-q3P6-G7C4-829C describes a CORS misconfiguration in the Parse Server GraphQL API endpoint: it ignores allowOrigin restrictions and allows cross-origin requests from any site, while the REST API correctly enforces them. Patches align the GraphQL endpoint with the...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.68 and 9.7.0-alpha.12. These vulnerabilities stemmed from the GraphQL query complexity...

Parse Server 访问控制错误漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 8.6.66 and 9.7.0-alpha.10 contain an access control vulnerability. This vulnerability stems from the GraphQL API endpoints not...

PT-2026-29277

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.68 Parse Server versions prior to 9.7.0-alpha.12 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a denial-of-service condition. A crafted GraphQL quer...

Origin Validation Error

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Origin Validation Error via the GraphQL API endpoint ignoring the configured CORS allowOrigin restriction. An attacker can...

GraphQL API endpoint ignores CORS origin restriction

Impact The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly...

GHSA-Q3P6-G7C4-829C GraphQL API endpoint ignores CORS origin restriction

Impact The GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly...

@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-33949 via @tinacms/graphql (>=2.0.0 <=2.2.1)

@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-33949 Source advisory: SNYK:JS-TINACMSGRAPHQL-15855320...

GHSA-V9P7-GF3Q-H779 @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Summary A Path Traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server...

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Summary A Path Traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server...

Directory Traversal

Overview @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal due to improper validation of backslashes on...

PT-2026-29157

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.2.2 Description A path traversal vulnerability exists in @tinacms/graphql, allowing unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePat...

PT-2026-29167

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the...

BIT-GITLAB-2026-3988 Inefficient Algorithmic Complexity in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to cause a denial of service by making the GitLab instance unresponsive due to improper input validation in...