CVE-2026-42223

Nginx UI (nginx-ui) before version 2.3.8 exposes sensitive settings through the GetSettings API. The handler serializes all settings structs to JSON and returns them to authenticated users, while the protected:"true" tag is only enforced on writes, not reads. This leaks 40+ protected fields, incl...

Nginx UI 信息泄露漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI prior to 2.3.8 had a vulnerability related to information leakage. This vulnerability stemmed from the GetSettings API’s serialization mechanism, which serialized all settings and returned them to authenticated users...

PT-2026-36923

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8 Description The GetSettings API handler in the api/settings/settings.go file serializes all settings structs to JSON and returns them to authenticated users. While many sensitive fields are marked as protected,...

Authorization Bypass Through User-Controlled Key

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

BIT-PARSE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

EUVD-2026-19917

Parse Server's Endpoint /sessions/me bypasses Session protectedFields...

Insertion of Sensitive Information Into Sent Data

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the GET /sessions/me endpoint, which fails to enforce protectedFields...

GHSA-G4V2-QX3Q-4P64 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Impact The GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET...

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Impact The GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET...

CVE-2026-39381

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-39381

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-39381

Parse Server (open-source Node.js backend) has a vulnerability in the GET /sessions/me endpoint where protected _Session fields configured via protectedFields are exposed to any authenticated user. The issue occurs prior to versions 9.8.0-alpha.7 and 8.6.75; the equivalent GET /sessions and GET /...

PT-2026-31008

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.8.0-alpha.7 and prior to 8.6.75 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue where the GET /sessions/me API endpoint improperly returns protect...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.8.0-alpha.7 and 8.6.75. These vulnerabilities stemmed from the GET /sessions/me endpoi...

BIT-PARSE-2026-34595 Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a...

BIT-PARSE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The...

EUVD-2026-17504

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value...

GHSA-MMG8-87C5-JRC2 Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Impact An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property an "array-like" obje...