@openinc/parse-server-opendash (>=4.0.0 <=4.0.4) potentially affected by CVE-2026-31871 via parse-server (>=9.6.0-alpha.37 <=9.6.0-alpha.43)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.4 Source cves: CVE-2026-31871 Source advisory: OSV:GHSA-GQPP-XGVH-9H7H...

EUVD-2026-11277

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in Increment operation on PostgreSQL...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-31868 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-31868 Source advisory: SNYK:JS-PARSESERVER-15468614...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31868 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31868 Source advisory: OSV:GHSA-V5HF-F4C3-M5RV...

GHSA-V5HF-F4C3-M5RV Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Impact An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its...

Cross-site Scripting (XSS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the file upload. An attacker can execute arbitrary scripts in the context of the application...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-31868 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-31868 Source advisory: OSV:GHSA-V5HF-F4C3-M5RV...

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Impact An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its...

EUVD-2026-11273

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types...

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...

Prototype Pollution

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Prototype Pollution in parseBody, when the dot option is enabled. An attacker can supply objects with proto properties, which may later be merged by other functions in the application,...

GHSA-V8W9-8MX6-G223 Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31856 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31856 Source advisory: OSV:GHSA-Q3VJ-96H2-GWVG...

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

EUVD-2026-11255

Parse Server vulnerable to SQL injection via Increment operation on nested object field in PostgreSQL...

SQL Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot...

GHSA-Q3VJ-96H2-GWVG Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

EUVD-2026-10929

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction...

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Impact The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input authData.id is interpolated directly into LDAP Distinguished Names DN and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bin...

LDAP Injection

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the authData.id parameter during the construction of LDAP Distinguished Names and...