CVE-2026-39859 LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile and parseFile, but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty...

CVE-2026-39859

LiquidJS (liquidjs) has a path traversal vulnerability in renderFile()/parseFile() where top-level file loads do not enforce the configured root boundary, allowing access to arbitrary local files when root is empty. Affected versions are before 10.25.3; the issue is fixed in 10.25.3 (per NVD/Red ...

GHSA-V273-448J-V4QJ LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read

liquidjs 10.25.0 documents root as constraining filenames passed to renderFile and parseFile, but top-level file loads do not enforce that boundary. The published npm package [email protected] on Linux 6.17.0 with Node v22.22.1. A Liquid instance configured with an empty temporary directory as roo...

BIT-PARSE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1, a file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the jsdiff JavaScript library

Summary Due to use of the jsdiff JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential denial of service DoS vulnerability. Vulnerability Details CVEID:CVE-2026-24001 DESCRIPTION: jsdiff is a JavaScript text differencing implementation. Prior to versions...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

Content-Type Override

Parse Server is vulnerable to Content-Type Override. The vulnerability is due to missing consistency validation between the file extension and the provided Content-Type header, where the Content-Type is passed unchanged to storage adapters that serve files based on this header, allowing an attack...

Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()

Summary A discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse, allowing attacker-controlled cookies to override legitimate ones. Details...

parse-server-otp-auth-adapter (>=1.0.0 <=1.0.1), parse-server-siwe-auth-adapter (>=1.0.0 <=1.0.1) potentially affected by CVE-2026-39381 via parse-server (=7.5.4)

parse-server NPM version =7.5.4 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - parse-server-otp-auth-adapter =1.0.0, =1.0.0, =1.0.1 Source cves: CVE-2026-39381 Source advisory: OSV:GHSA-G4V2-QX3Q-4P64...

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Impact The GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET...

Insertion of Sensitive Information Into Sent Data

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the GET /sessions/me endpoint, which fails to enforce protectedFields...

EUVD-2026-19917

Parse Server's Endpoint /sessions/me bypasses Session protectedFields...

parse-server-otp-auth-adapter (>=1.0.0 <=1.0.1), parse-server-siwe-auth-adapter (>=1.0.0 <=1.0.1) potentially affected by CVE-2026-39381 via parse-server (=7.5.4)

parse-server NPM version =7.5.4 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - parse-server-otp-auth-adapter =1.0.0, =1.0.0, =1.0.1 Source cves: CVE-2026-39381 Source advisory: SNYK:JS-PARSESERVER-15928862...

GHSA-G4V2-QX3Q-4P64 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Impact The GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39381 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39381 Source advisory: SNYK:JS-PARSESERVER-15928862...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39381 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39381 Source advisory: OSV:GHSA-G4V2-QX3Q-4P64...

GHSA-4GX2-PC4F-WQ37 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

Summary When parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh response...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-39321 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-39321 Source advisory: OSV:GHSA-MMPQ-5HCV-HF2V...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39321 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39321 Source advisory: OSV:GHSA-MMPQ-5HCV-HF2V...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39321 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39321 Source advisory: SNYK:JS-PARSESERVER-15928859...