GHSA-WP76-GG32-8258 Parse Server exposes auth data via verify password endpoint

Impact The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. Patch...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34215 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34215 Source advisory: OSV:GHSA-WP76-GG32-8258...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.10) potentially affected by CVE-2026-34215 via parse-server (>=9.6.0-alpha.37 <=9.6.1)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.10 Source cves: CVE-2026-34215 Source advisory: SNYK:JS-PARSESERVER-15812212...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34215 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34215 Source advisory: OSV:GHSA-WP76-GG32-8258...

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the verifyPassword endpoint. An attacker can obtain sensitive authentication data, such as MFA TOTP...

[SECURITY] Fedora 43 Update: perl-XML-Parser-2.51-1.fc43

This module provides ways to parse XML documents. It is built on top of XML::Parser::Expat, which is a lower level interface to James Clark's expat library. Each call to one of the parsing methods creates a new instance of XML::Parser::Expat which is then used to parse the document. Expat options...

[SECURITY] Fedora 44 Update: perl-XML-Parser-2.51-1.fc44

This module provides ways to parse XML documents. It is built on top of XML::Parser::Expat, which is a lower level interface to James Clark's expat library. Each call to one of the parsing methods creates a new instance of XML::Parser::Expat which is then used to parse the document. Expat options...

Linux Distros Unpatched Vulnerability : CVE-2026-23337

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: pinctrl: pinconf-generic: Fix memory leak in pinconfgenericparsedtconfig In...

Fedora 44 : rubygem-json (2026-3a7663d43d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory. New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 Tenable has extract...

Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...

BIT-PARSE-2026-33627 Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The...

BIT-PARSE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent logi...

BIT-PARSE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters...

BIT-PARSE-2026-33538 Parse Server: Denial of service via unindexed database query for unconfigured auth providers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a...

BIT-PARSE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This...

BIT-PARSE-2026-33508 Parse Server: LiveQuery subscription query depth bypass

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. A...

BIT-PARSE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. Th...

BIT-PARSE-2026-33429 Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event...

BIT-PARSE-2026-33421 Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any...

BIT-PARSE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the...