CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/03/11 3:49 p.m.•2 views

BIT-PARSE-2026-30854 Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1 to before version 9.5.0, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the...

6.9CVSS5.7AI score0.00019EPSS

OSV•added 2026/03/11 3:48 p.m.•2 views

BIT-PARSE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

6.3CVSS5.7AI score0.00021EPSS

OSV•added 2026/03/11 3:48 p.m.•3 views

BIT-PARSE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPa...

6.3CVSS5.7AI score0.00022EPSS

OSV•added 2026/03/11 3:48 p.m.•3 views

BIT-PARSE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response. This...

6.9CVSS5.8AI score0.00014EPSS

OSV•added 2026/03/11 3:48 p.m.•4 views

BIT-PARSE-2026-30229 Parse Server: Endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users...

8.5CVSS5.9AI score0.00024EPSS

OSV•added 2026/03/11 3:48 p.m.•0 views

BIT-PARSE-2026-30228 Parse Server: File creation and deletion bypasses `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the read-only...

6.9CVSS5.8AI score0.00015EPSS

OSV•added 2026/03/11 3:48 p.m.•2 views

BIT-PARSE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoint...

8.6CVSS5.7AI score0.00023EPSS

RedHat Linux•added 2026/03/11 7:39 a.m.•1 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

RedhatCVE•added 2026/03/11 7:8 a.m.•0 views

CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...

8.2CVSS5.8AI score0.00021EPSS

Exploits0References1

RedHat Linux•added 2026/03/11 6:5 a.m.•3 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

RedHat Linux•added 2026/03/11 5:17 a.m.•1 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

RedHat Linux•added 2026/03/11 5:9 a.m.•3 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

vulnersOsv•added 2026/03/11 12:36 a.m.•2 views

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31901 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31901 Source advisory: OSV:GHSA-W54V-HF9P-8856...

6.3CVSS5.8AI score0.00044EPSS

Exploits0

vulnersOsv•added 2026/03/11 12:36 a.m.•5 views

@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31901 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31901 Source advisory: SNYK:JS-PARSESERVER-15468746...

6.3CVSS5.8AI score0.00044EPSS

Exploits0

Snyk•added 2026/03/11 12:36 a.m.•1 views

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure in the /verificationEmailRequest endpoint. An attacker can determine whether specific email addresses a...

6.3CVSS5.8AI score0.00044EPSS