101 matches found
CVE-2026-35200
Parse Server has a Content-Type mismatch vulnerability in file uploads: if a filename extension passes the allowlist but the Content-Type header differs (e.g., .txt with text/html), the Content-Type is forwarded to storage adapters (such as S3 or GCS) and served as-is. Affected versions are prior...
CVE-2026-43930
CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...
CVE-2025-67727
Parse Server versions prior to 8.6.0-alpha.2 are affected by a GitHub CI workflow privilege elevation that grants the Actions workflow access to repository secrets and write permissions defined in the workflow, potentially including code from forks or lifecycle scripts. The issue is confined to t...
CVE-2026-30229
CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....
CVE-2026-30848
Parse Server’s PagesRouter is vulnerable to a path traversal issue prior to versions 8.6.8 and 9.5.0-alpha.8. The boundary check uses a string prefix comparison without enforcing a directory separator boundary, enabling unauthenticated access to files outside the configured pagesPath by traversal...
CVE-2026-30850
Parse Server contains a vulnerability where the file metadata endpoint (GET /files/:appId/metadata/:filename) bypasses beforeFind / afterFind triggers prior to versions 8.6.9 and 9.5.0-alpha.9. When these triggers act as access-control gates, the endpoint can expose file metadata without enforcin...
CVE-2026-30925
CVE-2026-30925 affects Parse Server with LiveQuery enabled. A crafted $regex subscription can cause catastrophic backtracking in JavaScript regex evaluation on the Node.js event loop, blocking the server and making the entire deployment unresponsive. This impacts all clients for affected deployme...
CVE-2026-30941
Parse Server exposes a NoSQL injection in token handling for password reset and email verification endpoints on deployments using MongoDB. Prior to versions 8.6.14 and 9.5.2-alpha.1, the token field is passed to database queries without type validation, enabling unauthenticated attackers to injec...
CVE-2026-30948
Parse Server (open-source Node.js backend) is affected prior to 9.5.2-alpha.4 and 8.6.17 by a stored XSS via SVG uploads. Authenticated users can upload an SVG file, which is served inline as Content-Type: image/svg+xml without protective headers, causing embedded scripts to execute in the Parse ...
CVE-2026-31800
Parse Server (Node.js) vulerable prior to 9.5.2-alpha.12 and 8.6.25 where internal classes _GraphQLConfig and _Audience can be read, modified, or deleted via the generic /classes/_GraphQLConfig and /classes/_Audience routes without master key authentication. This bypasses the master key enforceme...
CVE-2026-31901
Parse Server has a user-enumeration vulnerability via the email verification endpoint /verificationEmailRequest. Before versions 8.6.34 and 9.6.0-alpha.8, responses differ depending on whether the email belongs to an existing user, is already verified, or does not exist, allowing an attacker to d...
CVE-2026-32728
Parse Server is affected by a stored XSS bypass vulnerability where an attacker with file upload rights can bypass extension filtering by adding MIME parameters (for example; charset=utf-8) to the Content-Type header. This can cause the extension validation to skip blocklist checks, allowing acti...
CVE-2026-34224
CVE-2026-34224 affects Parse Server (Node.js backend). A flaw in the authData login flow lets an attacker with a valid provider token and a single MFA recovery code or SMS OTP create multiple authenticated sessions by issuing concurrent login requests, defeating the single-use MFA guarantee and p...
CVE-2026-34532
Parse Server vulnerability CVE-2026-34532: An attacker could bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler uses the function keyword and its validator is a plain object or arrow function, the tri...
CVE-2026-29182
CVE-2026-29182 affects Parse Server prior to 8.6.4 and 9.4.1-alpha.3, where the readOnlyMasterKey is incorrectly allowed to perform mutating operations, bypassing the documented denial of writes. An attacker who knows the readOnlyMasterKey can create, modify, or delete Cloud Hooks and start Cloud...
CVE-2026-30939
CVE-2026-30939 is associated with a vulnerability in Parse Server via a prototype chain resolution issue that enables a DoS. An unauthenticated attacker can crash the server by calling a Cloud Function endpoint with a prototype property name as the function name; other prototype property names by...
CVE-2026-30962
Parse Server is vulnerable prior to versions 9.5.2-alpha.6 and 8.6.19 due to a flawed protection check that only validates top-level query keys for protected fields. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed, allowing any authenticated us...
CVE-2026-31868
Parse Server has a stored XSS vulnerability (CVE-2026-31868) via file uploads of HTML-renderable types. Before versions 9.6.0-alpha.4 and 8.6.30, an attacker could upload files with extensions or content types not blocked by the default fileUpload.fileExtensions setting (e.g., .svgz, .xht, .xml, ...
CVE-2026-31872
CVE-2026-31872 affects Parse Server. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed via dot-notation in query WHERE clauses and sort parameters, enabling an attacker to query or sort by sub-fields of a protected field on MongoDB and PostgreSQL ...
CVE-2026-32098
Parse Server exposes a vulnerability where enabling LiveQuery and protectedFields in Class-Level Permissions allows a WHERE-clause subscription (including dot-notation or $regex) to reveal protected field values. Affected: classes with both protectedFields and LiveQuery enabled, with versions pri...
CVE-2026-32242
CVE-2026-32242 affects Parse Server: the built-in OAuth2 adapter previously exported a singleton instance shared across all OAuth2 provider configurations. Under concurrent authentication requests for multiple providers configured with oauth2: true, a token validation could run against another pr...
CVE-2026-33624
CVE-2026-33624 affects Parse Server. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who knows a user’s password and a valid MFA recovery code can reuse that code indefinitely by sending concurrent login requests, defeating the single‑use design of recovery codes. Impacted component: MFA...
CVE-2026-39321
Parse Server is vulnerable prior to versions 9.8.0-alpha.6 and 8.6.74 due to a timing discrepancy in the login endpoint. An unauthenticated attacker can enumerate valid usernames because responses differ: if the user is not found, the server responds immediately; if the user exists but the passwo...
CVE-2026-27804
Parse Server versions prior to 8.6.3 and 9.1.1-alpha.4 are vulnerable to unauthenticated login via forged Google tokens (alg: none). The root cause is trusting the JWT header for algorithm selection; the fix hardcodes RS256 and shifts key validation to jwks-rsa, rejecting unknown key IDs. Affecte...
CVE-2026-30835
Parse Server vulnerability CVE-2026-30835 affects Parse Server before versions 8.6.7 and 9.5.0-alpha.6, where a malformed $regex query parameter can cause the database to return a structured error object unsanitized through the API response. This leaks internal database details such as error mess...
CVE-2026-30965
Parse Server is affected by a vulnerability in its query handling that allowed an attacker to exfiltrate other users’ session tokens via the redirectClassNameForKey query parameter. This could enable account takeover for both authenticated and unauthenticated attackers, depending on Class-Level P...
CVE-2026-30972
Parse Server is affected by a rate-limit bypass vulnerability where the /batch endpoint processes sub-requests internally and bypasses the Express middleware rate limiting that protects other endpoints. This allows bundling multiple requests targeting a rate-limited path into a single batch, circ...
CVE-2026-31828
CVE-2026-31828 affects Parse Server deployments using the LDAP authentication adapter with group-based access control. User input in authData.id is interpolated directly into LDAP DNs and group search filters without escaping, enabling an attacker with valid LDAP credentials to manipulate the bin...
CVE-2026-32248
Parse Server suffers an account takeover vulnerability (CVE-2026-32248) due to operator injection in the authentication data identifier. Before versions 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can crafted-login cause a pattern-matching query instead of an exact match, allowing them...
CVE-2026-32886
Parse Server (Node.js) is affected by CVE-2026-32886 through a cloud function dispatch crash caused by an attacker-controlled function name traversing the JavaScript prototype chain of a registered cloud function handler, leading to a stack overflow. The root cause is prototype chain traversal du...
CVE-2026-33421
Parse Server’s LiveQuery WebSocket interface historically did not enforce Class-Level Permission pointer permissions (readUserFields and pointerFields) prior to versions 8.6.53 and 9.6.0-alpha.42. Any authenticated user could subscribe to LiveQuery events and receive real-time updates for objects...
CVE-2026-34363
Parsed Server LiveQuery vulnerability : multiple concurrent subscribers on the same class share mutable state; the in-place modification by the sensitive data filter can leak protected fields and authentication data across clients, or cause incomplete data to be seen. Affected versions before 8.6...
CVE-2026-34595
CVE-2026-34595 affects Parse Server LiveQuery: an authenticated user with find class-level permission can bypass the protectedFields guard by submitting a subscription using an array-like object for $or/$and/$nor instead of a real array. This bypass allows the subscription firing to act as a bina...
CVE-2026-34784
Parse Server has a vulnerability where file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on streaming storage adapters (e.g., GridFS). This can let an attacker access files that should be protected by authorization logic. The issue is fixed in vers...
CVE-2025-68115
Parse Server is affected by a Cross-Site Scripting (XSS) vulnerability in its password reset and email verification HTML pages due to unescaped Mustache template variables. Affected versions are prior to 8.6.1 and 9.1.0-alpha.3; the patch escapes user-controlled values in those pages and is avail...
CVE-2026-30967
Parse Server is affected when using the generic OAuth2 authentication adapter (oauth2: true) without setting useridField. Prior to 9.5.2-alpha.9 and 8.6.22, the adapter only verified token activity via the provider’s introspection endpoint and did not confirm that the token belongs to the user id...
CVE-2026-33042
Parse Server (Node.js) is affected prior to versions 9.6.0-alpha.29 and 8.6.49 where a signup can be performed without credentials by submitting an empty authData object, bypassing the username/password requirement. The root cause is that empty or non-actionable authData is treated as present for...
CVE-2026-33429
Parse Server exposes a protected-field information leak via LiveQuery watch parameter. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe with watch targeting a protected field; while the field value is stripped from payloads, the presence or absence of update events creates a...
CVE-2026-33527
Parse Server is affected; prior to 8.6.57 and 9.6.0-alpha.48, an authenticated user could overwrite server-generated session fields (expiresAt, createdWith) on their own session via the REST API, bypassing the configured session lifetime and making a session effectively permanent. The issue has b...
CVE-2026-33539
Parse Server SQL injection vulnerability in PostgreSQL adapter (CVE-2026-33539). An attacker with master key access can inject SQL metacharacters into field name parameters of the aggregate $group stage or the distinct operation, enabling arbitrary SQL execution on PostgreSQL and privilege escala...
CVE-2026-33627
CVE-2026-33627 affects Parse Server: prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including MFA TOTP secrets and recovery codes. The endpoint uses master-level authentication for the session query, and the master context ...
CVE-2026-34574
Parse Server vulnerability CVE-2026-34574 affects Parse Server prior to 8.6.69 and 9.7.0-alpha.14. An authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT to the session update endpoint, effectively nullifying session exp...
CVE-2026-31875
Parse Server MFA recovery codes are not consumed after use in versions prior to 9.6.0-alpha.7 and 8.6.33, allowing an attacker to reuse a single recovery code to repeatedly authenticate. The issue affects Node.js deployments of Parse Server and weakens MFA security. The fix is in 9.6.0-alpha.7 an...
CVE-2026-32878
Parse Server is vulnerable to prototype pollution in its deep copy path prior to versions 9.6.0-alpha.20 and 8.6.44. An attacker can bypass the default denylist and class-level field-adding permissions by crafting a request, allowing injection of fields into locked schemas and causing permanent s...
CVE-2026-32944
Technical details sufficient to assess the vulnerability are not provided in the connected documents; monitor for updates.
CVE-2026-33163
Summary: CVE-2026-33163 affects Parse Server’s LiveQuery afterEvent trigger. Before versions 9.6.0-alpha.35 and 8.6.50, when a class has a Parse.Cloud.afterLiveQueryEvent trigger, the LiveQuery event payload could leak protected fields and authData to subscribers of that class. The leak stems fro...
CVE-2026-33538
Parse Server v8.6.58 and v9.6.0-alpha.52 patch CVE-2026-33538, which allowed unauthenticated attackers to trigger DoS by sending auth requests for unconfigured providers. The server queries the user database for each unconfigured provider, and without an index on unconfigured providers this cause...
CVE-2026-34373
Parse Server’s GraphQL API endpoint prior to versions 8.6.66 and 9.7.0-alpha.10 does not respect the allowOrigin setting, unconditionally allowing cross-origin requests from any website and bypassing configured origin restrictions. The REST API enforces allowOrigin correctly. A fix is available i...
CVE-2026-33409
Parse Server suffers an authentication bypass on login via partial authData. Affected versions are before 8.6.52 and 9.6.0-alpha.41, where an attacker can log in as a user linked to a third‑party provider if allowExpiredAuthDataToken is true. The attacker only needs the user’s provider ID, gainin...
CVE-2026-39381
Parse Server (open-source Node.js backend) has a vulnerability in the GET /sessions/me endpoint where protected _Session fields configured via protectedFields are exposed to any authenticated user. The issue occurs prior to versions 9.8.0-alpha.7 and 8.6.75; the equivalent GET /sessions and GET /...