944 matches found
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31856
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31840
CVE-2026-31840 affects Parse Server (Node.js backend) deployed with PostgreSQL. The issue is a SQL injection via dot-notation field names used with the sort, distinct, or where query parameters, due to improper escaping of sub-field values. Affected versions are prior to 9.6.0-alpha.2 and 8.6.28;...
CVE-2026-31840
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...
CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...
EUVD-2026-11279
Parse Server has a protected fields bypass via dot-notation in query and sort...
GHSA-R2M8-PXM9-9C4G Parse Server has a protected fields bypass via dot-notation in query and sort
Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...
Parse Server has a protected fields bypass via dot-notation in query and sort
Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...
Incorrect Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the handling of protectedFields permissions when processing query WHERE clauses and sort paramete...
GHSA-GQPP-XGVH-9H7H Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...
SQL Injection
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the Increment operation on PostgreSQL when handling nested object fields using dot notation. An attacker ca...
EUVD-2026-11277
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in Increment operation on PostgreSQL...
GHSA-V8W9-8MX6-G223 Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...
EUVD-2026-10870
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type...
Parse Server 访问控制错误漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.6 and 8.6.32 contain an access control vulnerability. This vulnerability stems from the ability for class-level...