CVE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection...

flatted vulnerable to unbounded recursion DoS in parse() revive phase

Summary flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. Impact...

GHSA-25H7-PFQ9-P65F flatted vulnerable to unbounded recursion DoS in parse() revive phase

Summary flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. Impact...

CVE-2026-28356

A flaw was found in multipart. The parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, causing an exponential backtracking ReDoS when parsing a specially crafted HTTP or multipart segment headers. A web application parsing request headers or...

SUSE CVE-2026-28356

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

BIT-PARSE-2026-32234 Parse Server has a SQL injection via query field name when using PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL a...

BIT-PARSE-2026-32098 Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that...

BIT-PARSE-2026-31901 Parse Server has user enumeration via email verification endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0, the email verification endpoint /verificationEmailRequest returns distinct error responses depending on whether an email address belongs to an existing user, is alrea...

BIT-PARSE-2026-31875 Parse Server MFA recovery codes not consumed after use

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a...

BIT-PARSE-2026-31872 Parse Server has a protected fields bypass via dot-notation in query and sort

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.32, the protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to quer...

BIT-PARSE-2026-31871 Parse Server has a SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g.,...

BIT-PARSE-2026-31868 Parse Server has Stored XSS via file upload of HTML-renderable file types

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions...

BIT-PARSE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of...

SUSE CVE-2026-30226

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

PT-2026-25374

Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the...

Function Call With Incorrect Order of Arguments

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments in the OAuth2 authentication adapter when both appidField and appIds are...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the parse function due to using a recursive revive phase to resolve circular references in deserialized JSON. An attacker can cause a stack overflow and crash the process by supplying a crafted payload with...

CVE-2026-32269

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value ...

CVE-2026-32248

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user...

[SECURITY] [DSA 6161-1] multipart security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6161-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2026 https://www.debian.org/security/faq -...