GHSA-Q342-9W2P-57FP Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

Improper Check for Unusual or Exceptional Conditions

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the Utils class. An attacker can bypass configured keyword...

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

EUVD-2026-10547

Parse Server has denylist requestKeywordDenylist keyword scan bypass through nested object placement...

EUVD-2026-10436

Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...

EUVD-2026-10437

Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30925 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30925 Source advisory: OSV:GHSA-MF3J-86QX-CQ5J...

GHSA-MF3J-86QX-CQ5J Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Impact A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The...

Regular Expression Denial of Service (ReDoS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the handling of $regex in the LiveQuery component. An attacker can cause the...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.5.2-alpha.8 and 8.6.21. These vulnerabilities stemmed from improper handling of the...

PT-2026-24482

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.13 Parse Server versions prior to 8.6.26 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its LDAP authentication adapter. The issue stems fro...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.13 and 9.5.1-alpha.2. These vulnerabilities stemmed from using prototype property...

Parse Server 注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.5.2-alpha.13 and 8.6.26 have a vulnerability related to injection attacks. This vulnerability stems from the improper handlin...

Parse Server 授权问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.5.2-alpha.9 and 8.6.22 contain authorization vulnerabilities. This vulnerability stems from the OAuth2 authentication adapter not...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.5.0-alpha.14 and 8.6.11. These vulnerabilities stemmed from malicious clients being able t...

PT-2026-24457

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.7 Parse Server versions prior to 8.6.20 Description Parse Server’s internal tables, which store Relation field mappings, can be directly accessed via the REST API or GraphQL API by any client using on...

PT-2026-24425

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.3 Parse Server versions prior to 8.6.16 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a flaw where class-level permissions CLP are not...

PT-2026-24455

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.6 Parse Server versions prior to 8.6.19 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its validation process for protected fields. The...

PT-2026-24227

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.14 Parse Server versions prior to 9.5.2-alpha.1 Description Parse Server, an open-source backend deployable on Node.js infrastructures, contains a NoSQL injection issue. An unauthenticated attacker can inject...

EulerOS 2.0 SP13 : libwebsockets (EulerOS-SA-2026-1251)

According to the versions of the libwebsockets package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Stack-based Buffer Overflow in lwsadnsparselabel in warmcat libwebsockets allows, when the LWSWITHSYSASYNCDNS flag is enabled during...