Lucene search
K

4 matches found

OSV
OSV
added 2026/06/16 12:40 p.m.5 views

BIT-PARSE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by...

6.9CVSS5.4AI score0.00276EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/12 6:37 p.m.9 views

CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...

6.9CVSS5.4AI score0.00276EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 6:37 p.m.27 views

CVE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...

6.9CVSS0.00276EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48962

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.80 Parse Server versions prior to 9.9.1-alpha.6 Description A relation query using the $relatedTo operator allows an unauthenticated client to read the membership of a Relation field. This occurs even if the...

6.9CVSS5.2AI score0.00276EPSS
Exploits0References7
Rows per page
Query Builder