GHSA-VGJH-HMWF-C588 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Impact A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password...

Improper Neutralization of Special Elements in Data Query Logic

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the token field in the password reset and email...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30941 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30941 Source advisory: OSV:GHSA-VGJH-HMWF-C588...

EUVD-2026-10552

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.6.0-alpha.7 and 8.6.33. These vulnerabilities stemmed from the reuse of multi-factor...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.34 and 9.6.0-alpha.8. These vulnerabilities stemmed from email verification endpoint...

devalue 安全漏洞

devalue is an enhanced JavaScript object serialization library developed by Svelte. Versions of devalue 5.6.3 and earlier contained a security vulnerability. This vulnerability stemmed from the susceptibility of devalue.parse and devalue.unflatten to prototype pollution attacks involving speciall...

PT-2026-24760

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write...

PT-2026-24825

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

PT-2026-24758

Impact An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.3 and 8.6.29 have a SQL injection vulnerability. This vulnerability stems from the improper handling of the Increme...

PT-2026-24802

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint /verificationEmailRequest returns distinct error responses depending on whether an email address belongs to an existing user, ...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.5 and 8.6.31 have a SQL injection vulnerability. This vulnerability stems from the improper handling of subkey name...

PT-2026-24750

Impact A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker...

Parse Server 信息泄露漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.9 and 8.6.35 contained a vulnerability related to information leakage. This vulnerability stemmed from the ability of...

Parse Server 访问控制错误漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.6 and 8.6.32 contain an access control vulnerability. This vulnerability stems from the ability for class-level...

PT-2026-24817

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause th...

PT-2026-24689

Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.10 and 8.6.36 contain a SQL injection vulnerability. This vulnerability arises when PostgreSQL database is used in...

Parse Server 跨站脚本漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.4 and 8.6.30 contained a cross-site scripting vulnerability. This vulnerability stemmed from the ability to upload file...