3112 matches found
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...
CVE-2026-30946
Parse Server is affected by a denial-of-service due to unbounded query complexity in REST and GraphQL APIs. Unauthenticated attackers can exhaust resources (CPU, memory, database connections) via crafted queries, affecting all deployments using REST/GraphQL prior to 9.5.2-alpha.2 and 8.6.15. The ...
CVE-2026-30946
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.5.2-alpha.2 and 8.6.15 contain security vulnerabilities. These vulnerabilities stem from the lack of complexity restrictions ...
EUVD-2026-10171
Parse Server: GraphQL type introspection bypass via inline fragments when public introspection is disabled...
GHSA-Q5Q9-2RHP-33QW Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Impact When graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. schema introspection is not affected. Patches The check was chang...
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
Plasma
Plasma !Pythonhttps://img.shields.io/badge/python-3.10%2B-...
CVE-2026-30241
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...
Incorrect Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the type query nested inside inline fragments when public introspection is disabled. An attacker...
CVE-2026-30854
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
CVE-2026-30854
Parse Server vulnerability CVE-2026-30854 affects versions 9.3.1-alpha.3 through before 9.5.0-alpha.10 when graphQLPublicIntrospection is disabled. Nested __type queries inside inline fragments (for example ... on Query { __type(name: "User") { name } }) can bypass introspection controls, enablin...
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
CVE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...
PT-2026-23874
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent...
CVE-2026-30241
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...
CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...