CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-30848 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured...

CVE-2026-30863

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

CVE-2026-30863

CVE-2026-30863 affects Parse Server through its Google, Apple, and Facebook authentication adapters. If the adapter’s audience option (clientId for Google/Apple, appIds for Facebook) is not configured, the JWT verification process does not validate the audience claim, enabling an attacker to pres...

CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

PT-2026-23872

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.8 Parse Server versions prior to 9.5.0-alpha.8 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a path traversal flaw in the PagesRouter static file serving...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server from 9.3.1-alpha.3 to 9.5.0-alpha.10. These vulnerabilities stemmed from a bypass of interception...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.9 and 9.5.0-alpha.9. These vulnerabilities stemmed from a flaw in the file metadata...

PT-2026-23874

Name of the Vulnerable Software and Affected Versions Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent...

Parse Server 路径遍历漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 8.6.8 and 9.5.0-alpha.8 contained a path traversal vulnerability. This vulnerability stems from path traversal attacks, which...

PT-2026-23873

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.9 Parse Server versions prior to 9.5.0-alpha.9 Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the file metadata endpoint does not enforce beforeFind...

PT-2026-23857

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.10 Parse Server versions prior to 9.5.0-alpha.11 Description Parse Server is an open source backend deployable on Node.js infrastructures. The Google, Apple, and Facebook authentication adapters utilize JWT...

Parse Server 授权问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were authorization-related vulnerabilities in versions of Parse Server prior to 8.6.10 and 9.5.0-alpha.11. These vulnerabilities stemmed from the...

SUSE SLES16 Security Update : go1.24-openssl (SUSE-SU-2026:20629-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:20629-1 advisory. - Update to version 1.24.13 jscSLE-18320 - CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled...

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the parseCaddyfile function. An attacker can inject arbitrary values into trusted identity headers by supplying crafted HTTP headers when authenticated with a valid token, leading to unauthorized privilege escalation...

Header Injection

Overview Affected versions of this package are vulnerable to Header Injection in the parseCaddyfile function. An attacker can inject arbitrary values into trusted identity headers by supplying crafted HTTP headers when authenticated with a valid token, leading to unauthorized privilege escalation...

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure in the query execution layer. An attacker can obtain internal database error details, including error...