1576 matches found
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
Use of a Broken or Risky Cryptographic Algorithm
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the Google authentication. An attacker can gain unauthorized access to...
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
Parse Server 数据伪造问题漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.3 and 9.1.1-alpha.4 contained a data manipulation vulnerability. This vulnerability stemmed from an unverified attacker being...
CVE-2026-27804
Parse Server versions prior to 8.6.3 and 9.1.1-alpha.4 are vulnerable to unauthenticated login via forged Google tokens (alg: none). The root cause is trusting the JWT header for algorithm selection; the fix hardcodes RS256 and shifts key validation to jwks-rsa, rejecting unknown key IDs. Affecte...
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
CVE-2026-27804
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...
GHSA-4Q3H-VP4R-PRV2 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...
EUVD-2026-8774
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter...
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...
EUVD-2026-8593
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions...
PT-2026-22056
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.3 Parse Server versions prior to 9.1.1-alpha.4 Description Parse Server is susceptible to a security issue where an unauthenticated attacker can create a forged Google authentication token using alg: "none" t...
Server-Side Request Forgery (SSRF)
Parse Server is vulnerable to Server-Side Request ForgerySSRF. The vulnerability is due to allowing clients to supply a custom apiURL parameter in the Instagram authentication adapter, which allows an attacker to redirect authentication requests to malicious endpoints and potentially bypass...
Parse Server - GraphQL Schema Information Disclosure
The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. id: CVE-2025-53364 info: name...
Reflected Cross-Site Scripting (XSS)
Parse Server is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled values in password reset and email verification HTML pages, which allows an attacker to inject and execute malicious scripts in a victim’s browser...
CVE-2022-31089
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability...
CVE-2022-31083
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake...
CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
BIT-PARSE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly...