@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-33429 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-33429 Source advisory: OSV:GHSA-QPC3-FG4J-8HGM...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33421 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33421 Source advisory: SNYK:JS-PARSESERVER-15757705...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33421 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33421 Source advisory: OSV:GHSA-FPH2-R4QG-9576...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-33421 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-33421 Source advisory: OSV:GHSA-FPH2-R4QG-9576...

BIT-PARSE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class...

BIT-PARSE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of...

BIT-PARSE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server an...

BIT-PARSE-2026-32886 Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a...

BIT-PARSE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits...

BIT-PARSE-2026-32770 Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid...

BIT-PARSE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. Thi...

BIT-PARSE-2026-32728 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header. This...

BIT-PARSE-2026-32594 Parse Server GraphQL WebSocket endpoint bypasses security middleware

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and...

MAL-2026-1952 Malicious code in json-parse-genie (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57744a9f0e3acf081bd2a75ca3684d01e3907f1eab7636e0873ed0ef1bf509ee The package json-parse-genie was found to contain malicious code. Source: ghsa-malware b2293df6ecd418ffd21c1112affa6571afe9a78ff596ce2dd1fac64a470c98...

Malicious Package

Overview json-parse-genie is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in json-parse-genie (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57744a9f0e3acf081bd2a75ca3684d01e3907f1eab7636e0873ed0ef1bf509ee The package json-parse-genie was found to contain malicious code. Source: ghsa-malware b2293df6ecd418ffd21c1112affa6571afe9a78ff596ce2dd1fac64a470c98...

PJSIP 缓冲区错误漏洞

PJSIP is an open-source, free and open-source multimedia communication library developed in C language. It implements standards-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Versions of PJSIP 2.16 and earlier had a buffer error vulnerability. This vulnerability stemmed from an...

PT-2026-26782

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.55 Parse Server versions prior to 9.6.0-alpha.44 Description An unauthenticated attacker can send a crafted HTTP request with a deeply nested query containing logical operators, causing the Parse Server proce...

GPAC MP4Box 安全漏洞

GPAC MP4Box is a multimedia packager. It is primarily used for processing ISOBMF files such as MP4 and 3GP, but it can also be used for importing/exporting media from container files like AVI, MPG, MKV, and MPEG-2 TS. Previous versions of GPAC MP4Box, including version 86b0e36, had a security...