PT-2026-23874

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent...

PT-2026-23873

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.9 Parse Server versions prior to 9.5.0-alpha.9 Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the file metadata endpoint does not enforce beforeFind...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.9 and 9.5.0-alpha.9. These vulnerabilities stemmed from a flaw in the file metadata...

Parse Server 授权问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were authorization-related vulnerabilities in versions of Parse Server prior to 8.6.10 and 9.5.0-alpha.11. These vulnerabilities stemmed from the...

PT-2026-23857

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.10 Parse Server versions prior to 9.5.0-alpha.11 Description Parse Server is an open source backend deployable on Node.js infrastructures. The Google, Apple, and Facebook authentication adapters utilize JWT...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server from 9.3.1-alpha.3 to 9.5.0-alpha.10. These vulnerabilities stemmed from a bypass of interception...

SUSE SLES16 Security Update : go1.24-openssl (SUSE-SU-2026:20629-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:20629-1 advisory. - Update to version 1.24.13 jscSLE-18320 - CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled...

PT-2026-23872

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.8 Parse Server versions prior to 9.5.0-alpha.8 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a path traversal flaw in the PagesRouter static file serving...

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the parseCaddyfile function. An attacker can inject arbitrary values into trusted identity headers by supplying crafted HTTP headers when authenticated with a valid token, leading to unauthorized privilege escalation...

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the parseCaddyfile function. An attacker can inject arbitrary values into trusted identity headers by supplying crafted HTTP headers when authenticated with a valid token, leading to unauthorized privilege escalation...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30835 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30835 Source advisory: OSV:GHSA-9CP7-3Q5W-J92G...

EUVD-2026-10061

parse-server: Malformed $regex query leaks database error details in API response...

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure in the query execution layer. An attacker can obtain internal database error details, including error...

parse-server: Malformed `$regex` query leaks database error details in API response

Impact A malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerabilit...

GHSA-9CP7-3Q5W-J92G parse-server: Malformed `$regex` query leaks database error details in API response

Impact A malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerabilit...

UBUNTU-CVE-2026-25679

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs...

CVE-2026-25679

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs...

CVE-2026-25679

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs...

CVE-2026-30835

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...

CVE-2026-30229

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...