1568 matches found
CVE-2026-33042
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33163
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-32742
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST...
CVE-2026-32944
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...
CVE-2026-32770
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the...
CVE-2026-32943
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...
CVE-2026-32886
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype...
CVE-2026-32878
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...
CVE-2026-32728
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header...
CVE-2026-33163
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-33163
Summary: CVE-2026-33163 affects Parse Server’s LiveQuery afterEvent trigger. Before versions 9.6.0-alpha.35 and 8.6.50, when a class has a Parse.Cloud.afterLiveQueryEvent trigger, the LiveQuery event payload could leak protected fields and authData to subscribers of that class. The leak stems fro...
CVE-2026-33163 Parse Server leaks protected fields via LiveQuery afterEvent trigger
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that...
CVE-2026-33042
Parse Server (Node.js) is affected prior to versions 9.6.0-alpha.29 and 8.6.49 where a signup can be performed without credentials by submitting an empty authData object, bypassing the username/password requirement. The root cause is that empty or non-actionable authData is treated as present for...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33042
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2026-32944
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...