Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in LiveQuery. An attacker can gain unauthorized access to sensitive data by subscribing to real-time...

EUVD-2026-10865

Parse Server has a bypass of class-level permissions in LiveQuery...

EUVD-2026-10864

Parse Server has a bypass of class-level permissions in LiveQuery...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30947 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30947 Source advisory: OSV:GHSA-7CH5-98Q2-7289...

GHSA-7CH5-98Q2-7289 Parse Server has a bypass of class-level permissions in LiveQuery

Impact Class-level permissions CLP are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery wit...

EUVD-2026-10863

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30946 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30946 Source advisory: OSV:GHSA-CMJ3-WX7H-FFVG...

Allocation of Resources Without Limits or Throttling

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through unbounded query complexity in the REST and GraphQL APIs. An...

EUVD-2026-10862

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API...

GHSA-CMJ3-WX7H-FFVG Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Impact An unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. Patches The vulnerabili...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-30941 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-30941 Source advisory: OSV:GHSA-VGJH-HMWF-C588...

Improper Neutralization of Special Elements in Data Query Logic

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the token field in the password reset and email...

EUVD-2026-10551

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...

EUVD-2026-10552

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...

GHSA-VGJH-HMWF-C588 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Impact A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password...

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Impact A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password...

Parse Server 信息泄露漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.9 and 8.6.35 contained a vulnerability related to information leakage. This vulnerability stemmed from the ability of...

PT-2026-24689

Impact The protectedFields class-level permission CLP can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.3 and 8.6.29 have a SQL injection vulnerability. This vulnerability stems from the improper handling of the Increme...

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.5 and 8.6.31 have a SQL injection vulnerability. This vulnerability stems from the improper handling of subkey name...