1566 matches found
CVE-2026-39381
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...
CVE-2026-39321
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...
CVE-2026-39321
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...
CVE-2026-39321
Parse Server is vulnerable prior to versions 9.8.0-alpha.6 and 8.6.74 due to a timing discrepancy in the login endpoint. An unauthenticated attacker can enumerate valid usernames because responses differ: if the user is not found, the server responds immediately; if the user exists but the passwo...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.8.0-alpha.6 and 8.6.74. These vulnerabilities stemmed from differences in login endpoint...
PT-2026-31008
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.8.0-alpha.7 and prior to 8.6.75 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue where the GET /sessions/me API endpoint improperly returns protect...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.8.0-alpha.7 and 8.6.75. These vulnerabilities stemmed from the GET /sessions/me endpoi...
PT-2026-30950
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.8.0-alpha.6 and prior to 8.6.74 Description The timing difference in the response time of the login endpoint allows an unauthenticated attacker to enumerate valid usernames. When a user is not found, the server...
CVE-2026-35200
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the...
CVE-2026-35200
The CVE entry CVE-2026-35200 corresponds to a vulnerability in Parse Server where an uploaded file can pair a mismatched Content-Type header with a filename extension that passes the allowlist. The issue arises because the Content-Type is accepted by the storage adapter and served as provided, le...
CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the...
CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the...
BIT-PARSE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default...
BIT-PARSE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a...
BIT-PARSE-2026-34574 Parse Server: Session field immutability bypass via falsy-value guard
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0, an authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session upda...
BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...
BIT-PARSE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function...
BIT-PARSE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses orig...