CVE-2026-30848

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-30863

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

PT-2026-24151

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.0-alpha.14 Parse Server versions prior to 8.6.11 Description A crafted $regex pattern within a LiveQuery subscription can cause catastrophic backtracking, blocking the Node.js event loop and rendering the...

CVE-2026-30835

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...

CVE-2026-30228

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API POST /files/:filename, DELETE /files/:filename. This bypasses the...

CVE-2026-30229

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

CVE-2026-29182

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some...

@openinc/parse-server-opendash (>=3.0.0 <=3.30.0), @servable/parse-server-engine (>=1.6.0 <=1.17.0) +5 more potentially affected by CVE-2026-30850 via parse-server (=8.6.76)

parse-server NPM version =8.6.76 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =3.0.0, =1.6.0, =1.0.0, =1.0.3, =2.0.0, =2.0.0, =0.0.1, =0.1.0 Source cves: CVE-2026-30850 Source...

Missing Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization in the GET /files/:appId/metadata/:filename endpoint due to the lack of enforcement of beforeFind and...

Improper Verification of Cryptographic Signature

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication process when the audience configuration option is not...

Directory Traversal

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Directory Traversal via the PagesRouter static file. An attacker can read arbitrary files outside the intended directory by...

@openinc/parse-server-opendash (>=3.0.0 <=3.30.0), @servable/parse-server-engine (>=1.6.0 <=1.17.0) +5 more potentially affected by CVE-2026-30848 via parse-server (=8.6.76)

parse-server NPM version =8.6.76 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =3.0.0, =1.6.0, =1.0.0, =1.0.3, =2.0.0, =2.0.0, =0.0.1, =0.1.0 Source cves: CVE-2026-30848 Source...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the type query nested inside inline fragments when public introspection is disabled. An attacker...

CVE-2026-30863

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

CVE-2026-30848

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-30854

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypa...

CVE-2026-30854

Parse Server vulnerability CVE-2026-30854 affects versions 9.3.1-alpha.3 through before 9.5.0-alpha.10 when graphQLPublicIntrospection is disabled. Nested __type queries inside inline fragments (for example ... on Query { __type(name: "User") { name } }) can bypass introspection controls, enablin...