6694 matches found
parse-server has cloud function validator bypass via prototype chain traversal
Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...
Incorrect Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the Cloud Function handler resolution process. An attacker can gain unauthorized access to...
Improper Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Authorization via the afterFind process. An attacker can gain unauthorized access to protected files by sending HTT...
@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-34784 via parse-server (>=9.6.0-alpha.37 <=9.7.0)
parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-34784 Source advisory: SNYK:JS-PARSESERVER-15864525...
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
CVE-2026-34215
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
CVE-2026-34784
Parse Server has a vulnerability where file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on streaming storage adapters (e.g., GridFS). This can let an attacker access files that should be protected by authorization logic. The issue is fixed in vers...
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...
CVE-2026-34215
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...
CVE-2026-34215
Parse Server exposes sensitive authentication data via the verifyPassword endpoint. Affected versions are before 8.6.63 and 9.7.0-alpha.7. The endpoint returns unsanitized data including MFA TOTP secrets, recovery codes, and OAuth access tokens, enabling an attacker who knows a user’s password to...
CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...
CVE-2026-34215 Parse Server: Auth data exposed via verify password endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacke...
CVE-2026-34574
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the...
CVE-2026-34573
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
CVE-2026-34532
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...