@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34595 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34595 Source advisory: SNYK:JS-PARSESERVER-15864450...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34574 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34574 Source advisory: OSV:GHSA-F6J3-W9V3-CQ22...

EUVD-2026-17502

Parse Server has a session field immutability bypass via falsy-value guard...

Incorrect Comparison

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Comparison via the session update process. An attacker can extend the validity of a session indefinitely by sendin...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34574 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34574 Source advisory: OSV:GHSA-F6J3-W9V3-CQ22...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34574 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34574 Source advisory: SNYK:JS-PARSESERVER-15864482...

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Impact The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects...

Inefficient Algorithmic Complexity

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the GraphQL query complexity validation process. An attacker can cause the Node.js eve...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34573 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34573 Source advisory: OSV:GHSA-MFJ6-6P54-M98C...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34573 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34573 Source advisory: OSV:GHSA-MFJ6-6P54-M98C...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34573 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34573 Source advisory: SNYK:JS-PARSESERVER-15864422...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34532 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34532 Source advisory: SNYK:JS-PARSESERVER-15864382...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34532 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34532 Source advisory: OSV:GHSA-VPJ2-QQ7W-5QQ6...

GHSA-VPJ2-QQ7W-5QQ6 parse-server has cloud function validator bypass via prototype chain traversal

Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34532 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34532 Source advisory: OSV:GHSA-VPJ2-QQ7W-5QQ6...

parse-server has cloud function validator bypass via prototype chain traversal

Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the Cloud Function handler resolution process. An attacker can gain unauthorized access to...

Improper Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Authorization via the afterFind process. An attacker can gain unauthorized access to protected files by sending HTT...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-34784 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-34784 Source advisory: SNYK:JS-PARSESERVER-15864525...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...