Lucene search
K
ParseplatformParse-server

70 matches found

CVE
CVE
added 2026/03/10 4:34 p.m.51 views

CVE-2026-30938

Parse Server is affected by GHSA-Q342-9W2P-57FP, a vulnerability in the denylist keyword scan. The issue arises in the requestKeywordDenylist scanner: if a nested object/array appears before a prohibited keyword, the scanner exits prematurely, allowing bypass of the denylist. All deployments are ...

6.9CVSS5.8AI score0.00393EPSS
CVE
CVE
added 2026/03/18 9:33 p.m.36 views

CVE-2026-32742

CVE-2026-32742 affects Parse Server. Before versions 9.6.0-alpha.17 and 8.6.42, an authenticated user could overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session via POST /classes/_Session, potentially bypassing session expiration and predicting ...

4.3CVSS5.9AI score0.00306EPSS
Web
CVE
CVE
added 2026/03/11 5:14 p.m.29 views

CVE-2026-31856

CVE-2026-31856 affects Parse Server PostgreSQL storage adapter. The vulnerability allows SQL injection via Increment on nested object fields (e.g., stats.counter) where the amount is interpolated into the SQL query without parameterization, enabling reading data and bypassing CLPs/ACLs. MongoDB d...

9.8CVSS5.9AI score0.00418EPSS
CVE
CVE
added 2026/03/10 8:45 p.m.28 views

CVE-2026-30966

Parse Server prior to 9.5.2-alpha.7 and 8.6.20 is vulnerable: internal tables backing Relation field mappings are accessible via REST/GraphQL using only the application key, allowing any client to create/read/update/delete records in relation tables and potentially inject themselves into any Pars...

10CVSS5.8AI score0.00384EPSS
CVE
CVE
added 2026/03/07 4:24 p.m.26 views

CVE-2026-30854

Parse Server vulnerability CVE-2026-30854 affects versions 9.3.1-alpha.3 through before 9.5.0-alpha.10 when graphQLPublicIntrospection is disabled. Nested __type queries inside inline fragments (for example ... on Query { __type(name: "User") { name } }) can bypass introspection controls, enablin...

6.9CVSS5.7AI score0.00278EPSS
CVE
CVE
added 2026/03/11 7:58 p.m.26 views

CVE-2026-32234

Parse Server vulnerability CVE-2026-32234 affects deployments using PostgreSQL. A crafted field name in a $regex query constraint can be interpolated into SQL when an attacker has master-key access, bypassing the Parse Server layer and enabling database-level SQL injection. Affected versions are ...

5.1CVSS5.8AI score0.00201EPSS
CVE
CVE
added 2026/03/31 7:34 p.m.24 views

CVE-2026-34215

Parse Server exposes sensitive authentication data via the verifyPassword endpoint. Affected versions are before 8.6.63 and 9.7.0-alpha.7. The endpoint returns unsanitized data including MFA TOTP secrets, recovery codes, and OAuth access tokens, enabling an attacker who knows a user’s password to...

8.2CVSS5.8AI score0.00303EPSS
CVE
CVE
added 2026/03/11 4:53 p.m.23 views

CVE-2026-31840

CVE-2026-31840 affects Parse Server (Node.js backend) deployed with PostgreSQL. The issue is a SQL injection via dot-notation field names used with the sort, distinct, or where query parameters, due to improper escaping of sub-field values. Affected versions are prior to 9.6.0-alpha.2 and 8.6.28;...

9.8CVSS5.8AI score0.00408EPSS
CVE
CVE
added 2026/03/31 3:6 p.m.23 views

CVE-2026-34573

Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...

8.2CVSS5.7AI score0.00463EPSS
CVE
CVE
added 2026/03/11 7:57 p.m.22 views

CVE-2026-32098

Parse Server exposes a vulnerability where enabling LiveQuery and protectedFields in Class-Level Permissions allows a WHERE-clause subscription (including dot-notation or $regex) to reveal protected field values. Affected: classes with both protectedFields and LiveQuery enabled, with versions pri...

7.5CVSS5.8AI score0.00288EPSS
CVE
CVE
added 2026/03/11 6:1 p.m.21 views

CVE-2026-31871

Parse Server has a SQL injection vulnerability in the PostgreSQL storage adapter during Increment operations on nested object fields (dot notation, e.g., stats.counter). The sub-key name is interpolated into SQL literals without escaping, enabling an attacker who can submit REST API write request...

9.8CVSS5.9AI score0.00418EPSS
CVE
CVE
added 2026/05/12 1:34 p.m.21 views

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

5.9CVSS5.8AI score0.00236EPSS
CVE
CVE
added 2026/03/07 4:18 p.m.20 views

CVE-2026-30863

CVE-2026-30863 affects Parse Server through its Google, Apple, and Facebook authentication adapters. If the adapter’s audience option (clientId for Google/Apple, appIds for Facebook) is not configured, the JWT verification process does not validate the audience claim, enabling an attacker to pres...

9.8CVSS5.7AI score0.00525EPSS
CVE
CVE
added 2026/03/06 8:25 p.m.19 views

CVE-2026-30228

Parse Server is affected where the readOnlyMasterKey is used with the Files API (POST /files/:filename, DELETE /files/:filename). Prior to versions 8.6.5 and 9.5.0-alpha.3, this could bypass the read-only restriction, allowing an attacker with the readOnlyMasterKey to upload arbitrary files or de...

6.9CVSS5.8AI score0.00329EPSS
Web
CVE
CVE
added 2026/03/10 8:16 p.m.19 views

CVE-2026-30947

Parse Server (with LiveQuery) is affected by CVE-2026-30947 where class-level permissions (CLP) are not enforced for LiveQuery subscriptions in older releases. An unauthenticated or unauthorized client could subscribe to any LiveQuery-enabled class and receive real-time events for all objects, by...

8.7CVSS5.8AI score0.00426EPSS
CVE
CVE
added 2026/03/31 2:42 p.m.19 views

CVE-2026-34532

Parse Server vulnerability CVE-2026-34532: An attacker could bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler uses the function keyword and its validator is a plain object or arrow function, the tri...

9.1CVSS5.7AI score0.00277EPSS
CVE
CVE
added 2026/03/11 7:18 p.m.18 views

CVE-2026-31901

Parse Server has a user-enumeration vulnerability via the email verification endpoint /verificationEmailRequest. Before versions 8.6.34 and 9.6.0-alpha.8, responses differ depending on whether the email belongs to an existing user, is already verified, or does not exist, allowing an attacker to d...

6.3CVSS5.8AI score0.00241EPSS
CVE
CVE
added 2026/03/12 6:49 p.m.18 views

CVE-2026-32242

CVE-2026-32242 affects Parse Server: the built-in OAuth2 adapter previously exported a singleton instance shared across all OAuth2 provider configurations. Under concurrent authentication requests for multiple providers configured with oauth2: true, a token validation could run against another pr...

9.1CVSS5.8AI score0.00261EPSS
CVE
CVE
added 2026/03/18 9:46 p.m.18 views

CVE-2026-32943

Parse Server prior to versions 9.6.0-alpha.28 and 8.6.48 did not enforce single-use for password-reset tokens, allowing a token to be consumed by concurrent requests. An attacker with an intercepted token could race a legitimate reset request, potentially changing a target account’s password. Sta...

3.1CVSS5.8AI score0.00207EPSS
CVE
CVE
added 2026/04/06 7:47 p.m.18 views

CVE-2026-35200

Parse Server has a Content-Type mismatch vulnerability in file uploads: if a filename extension passes the allowlist but the Content-Type header differs (e.g., .txt with text/html), the Content-Type is forwarded to storage adapters (such as S3 or GCS) and served as-is. Affected versions are prior...

5.4CVSS5.9AI score0.00162EPSS
CVE
CVE
added 2026/03/07 4:20 p.m.17 views

CVE-2026-30848

Parse Server’s PagesRouter is vulnerable to a path traversal issue prior to versions 8.6.8 and 9.5.0-alpha.8. The boundary check uses a string prefix comparison without enforcing a directory separator boundary, enabling unauthenticated access to files outside the configured pagesPath by traversal...

6.3CVSS5.7AI score0.00312EPSS
CVE
CVE
added 2026/03/10 8:14 p.m.17 views

CVE-2026-30946

Parse Server is affected by a denial-of-service due to unbounded query complexity in REST and GraphQL APIs. Unauthenticated attackers can exhaust resources (CPU, memory, database connections) via crafted queries, affecting all deployments using REST/GraphQL prior to 9.5.2-alpha.2 and 8.6.15. The ...

8.7CVSS5.7AI score0.00562EPSS
CVE
CVE
added 2026/03/11 5:54 p.m.17 views

CVE-2026-31868

Parse Server has a stored XSS vulnerability (CVE-2026-31868) via file uploads of HTML-renderable types. Before versions 9.6.0-alpha.4 and 8.6.30, an attacker could upload files with extensions or content types not blocked by the default fileUpload.fileExtensions setting (e.g., .svgz, .xht, .xml, ...

6.3CVSS5.8AI score0.00245EPSS
CVE
CVE
added 2026/03/24 6:18 p.m.17 views

CVE-2026-33498

CVE-2026-33498 affects Parse Server (Node.js). Before versions 8.6.55 and 9.6.0-alpha.44, an unauthenticated HTTP request with a deeply nested query containing logical operators can permanently hang the server process, rendering it unresponsive and requiring manual restart. This is a bypass of th...

8.7CVSS5.7AI score0.00452EPSS
CVE
CVE
added 2026/03/31 2:25 p.m.17 views

CVE-2026-34224

CVE-2026-34224 affects Parse Server (Node.js backend). A flaw in the authData login flow lets an attacker with a valid provider token and a single MFA recovery code or SMS OTP create multiple authenticated sessions by issuing concurrent login requests, defeating the single-use MFA guarantee and p...

4.4CVSS5.8AI score0.00311EPSS
CVE
CVE
added 2026/03/31 3:10 p.m.17 views

CVE-2026-34595

CVE-2026-34595 affects Parse Server LiveQuery: an authenticated user with find class-level permission can bypass the protectedFields guard by submitting a subscription using an array-like object for $or/$and/$nor instead of a real array. This bypass allows the subscription firing to act as a bina...

5.3CVSS5.8AI score0.00251EPSS
CVE
CVE
added 2026/03/06 8:26 p.m.16 views

CVE-2026-30229

CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....

8.5CVSS5.8AI score0.00388EPSS
CVE
CVE
added 2026/03/07 4:21 p.m.16 views

CVE-2026-30850

Parse Server contains a vulnerability where the file metadata endpoint (GET /files/:appId/metadata/:filename) bypasses beforeFind / afterFind triggers prior to versions 8.6.9 and 9.5.0-alpha.9. When these triggers act as access-control gates, the endpoint can expose file metadata without enforcin...

6.3CVSS5.7AI score0.00295EPSS
Web
CVE
CVE
added 2026/03/09 11:1 p.m.16 views

CVE-2026-30925

CVE-2026-30925 affects Parse Server with LiveQuery enabled. A crafted $regex subscription can cause catastrophic backtracking in JavaScript regex evaluation on the Node.js event loop, blocking the server and making the entire deployment unresponsive. This impacts all clients for affected deployme...

8.2CVSS5.8AI score0.00446EPSS
CVE
CVE
added 2026/03/10 8:18 p.m.16 views

CVE-2026-30948

Parse Server (open-source Node.js backend) is affected prior to 9.5.2-alpha.4 and 8.6.17 by a stored XSS via SVG uploads. Authenticated users can upload an SVG file, which is served inline as Content-Type: image/svg+xml without protective headers, causing embedded scripts to execute in the Parse ...

8.3CVSS5.8AI score0.00216EPSS
CVE
CVE
added 2026/03/12 7:43 p.m.16 views

CVE-2026-32269

Parse Server vulnerability CVE-2026-32269 affects deployments using the OAuth2 adapter with both appidField and appIds configured. The issue stems from incorrect validation of app IDs where a malformed value is sent to the token introspection endpoint instead of the user’s actual access token, po...

6.5CVSS5.8AI score0.00276EPSS
CVE
CVE
added 2026/03/13 7:56 p.m.16 views

CVE-2026-32594

Parse Server vulnerability CVE-2026-32594 affects the GraphQL WebSocket endpoint used for subscriptions, where requests bypass the Express middleware that enforces authentication, introspection control, and query complexity limits. Prior to versions 8.6.40 and 9.6.0-alpha.14, an attacker could co...

7.3CVSS5.8AI score0.00342EPSS
CVE
CVE
added 2026/03/18 9:31 p.m.16 views

CVE-2026-32728

Parse Server is affected by a stored XSS bypass vulnerability where an attacker with file upload rights can bypass extension filtering by adding MIME parameters (for example; charset=utf-8) to the Content-Type header. This can cause the extension validation to skip blocklist checks, allowing acti...

8.3CVSS5.4AI score0.00272EPSS
CVE
CVE
added 2026/03/18 9:37 p.m.16 views

CVE-2026-32770

CVE-2026-32770 affects the Parse Server project via the LiveQuery feature. The issue occurs when a remote attacker subscribes to LiveQuery with an invalid regular expression pattern, which can cause the server process to crash and lead to a denial of service for all connected clients. Affected ve...

7.5CVSS5.8AI score0.0055EPSS
CVE
CVE
added 2026/03/24 6:21 p.m.16 views

CVE-2026-33508

Parse Server’s LiveQuery WebSocket subscription processing is vulnerable to a query depth bypass due to not enforcing the requestComplexity.queryDepth setting before versions 8.6.56 and 9.6.0-alpha.45. An attacker can submit a subscription with deeply nested logical operators, triggering recursio...

8.2CVSS5.7AI score0.00345EPSS
CVE
CVE
added 2026/03/10 4:37 p.m.15 views

CVE-2026-30939

CVE-2026-30939 is associated with a vulnerability in Parse Server via a prototype chain resolution issue that enables a DoS. An unauthenticated attacker can crash the server by calling a Cloud Function endpoint with a prototype property name as the function name; other prototype property names by...

8.8CVSS5.8AI score0.0049EPSS
CVE
CVE
added 2026/03/10 8:20 p.m.15 views

CVE-2026-30949

CVE-2026-30949 affects Parse Server deployments using the Keycloak authentication adapter. The issue is that the azp (authorized party) claim in Keycloak access tokens is not validated against the configured client-id, enabling a valid token from one client to authenticate as any user on Parse Se...

8.8CVSS5.8AI score0.00426EPSS
CVE
CVE
added 2026/03/10 8:48 p.m.15 views

CVE-2026-30972

Parse Server is affected by a rate-limit bypass vulnerability where the /batch endpoint processes sub-requests internally and bypasses the Express middleware rate limiting that protects other endpoints. This allows bundling multiple requests targeting a rate-limited path into a single batch, circ...

7.5CVSS5.8AI score0.00342EPSS
CVE
CVE
added 2026/03/12 7:14 p.m.15 views

CVE-2026-32248

Parse Server suffers an account takeover vulnerability (CVE-2026-32248) due to operator injection in the authentication data identifier. Before versions 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can crafted-login cause a pattern-matching query instead of an exact match, allowing them...

9.8CVSS5.8AI score0.00627EPSS
CVE
CVE
added 2026/03/18 9:54 p.m.15 views

CVE-2026-33042

Parse Server (Node.js) is affected prior to versions 9.6.0-alpha.29 and 8.6.49 where a signup can be performed without credentials by submitting an empty authData object, bypassing the username/password requirement. The root cause is that empty or non-actionable authData is treated as present for...

6.9CVSS5.8AI score0.00294EPSS
CVE
CVE
added 2026/03/24 6:16 p.m.15 views

CVE-2026-33429

Parse Server exposes a protected-field information leak via LiveQuery watch parameter. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe with watch targeting a protected field; while the field value is stripped from payloads, the presence or absence of update events creates a...

6.3CVSS5.7AI score0.00316EPSS
CVE
CVE
added 2026/03/10 8:42 p.m.14 views

CVE-2026-30962

Parse Server is vulnerable prior to versions 9.5.2-alpha.6 and 8.6.19 due to a flawed protection check that only validates top-level query keys for protected fields. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed, allowing any authenticated us...

7.1CVSS5.8AI score0.00297EPSS
CVE
CVE
added 2026/03/10 8:51 p.m.14 views

CVE-2026-31800

Parse Server (Node.js) vulerable prior to 9.5.2-alpha.12 and 8.6.25 where internal classes _GraphQLConfig and _Audience can be read, modified, or deleted via the generic /classes/_GraphQLConfig and /classes/_Audience routes without master key authentication. This bypasses the master key enforceme...

9.1CVSS5.8AI score0.00335EPSS
CVE
CVE
added 2026/03/24 6:14 p.m.14 views

CVE-2026-33421

Parse Server’s LiveQuery WebSocket interface historically did not enforce Class-Level Permission pointer permissions (readUserFields and pointerFields) prior to versions 8.6.53 and 9.6.0-alpha.42. Any authenticated user could subscribe to LiveQuery events and receive real-time updates for objects...

7.1CVSS5.7AI score0.00397EPSS
CVE
CVE
added 2026/03/24 6:24 p.m.14 views

CVE-2026-33538

Parse Server v8.6.58 and v9.6.0-alpha.52 patch CVE-2026-33538, which allowed unauthenticated attackers to trigger DoS by sending auth requests for unconfigured providers. The server queries the user database for each unconfigured provider, and without an index on unconfigured providers this cause...

8.7CVSS5.8AI score0.00406EPSS
CVE
CVE
added 2026/03/24 6:28 p.m.14 views

CVE-2026-33624

CVE-2026-33624 affects Parse Server. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who knows a user’s password and a valid MFA recovery code can reuse that code indefinitely by sending concurrent login requests, defeating the single‑use design of recovery codes. Impacted component: MFA...

2.7CVSS5.8AI score0.00175EPSS
CVE
CVE
added 2026/03/31 2:35 p.m.14 views

CVE-2026-34363

Parsed Server LiveQuery vulnerability : multiple concurrent subscribers on the same class share mutable state; the in-place modification by the sensitive data filter can leak protected fields and authentication data across clients, or cause incomplete data to be seen. Affected versions before 8.6...

8.2CVSS5.8AI score0.00367EPSS
CVE
CVE
added 2026/02/25 11:48 p.m.13 views

CVE-2026-27804

Parse Server versions prior to 8.6.3 and 9.1.1-alpha.4 are vulnerable to unauthenticated login via forged Google tokens (alg: none). The root cause is trusting the JWT header for algorithm selection; the fix hardcodes RS256 and shifts key validation to jwks-rsa, rejecting unknown key IDs. Affecte...

9.3CVSS5.5AI score0.00176EPSS
CVE
CVE
added 2026/03/06 8:24 p.m.13 views

CVE-2026-29182

CVE-2026-29182 affects Parse Server prior to 8.6.4 and 9.4.1-alpha.3, where the readOnlyMasterKey is incorrectly allowed to perform mutating operations, bypassing the documented denial of writes. An attacker who knows the readOnlyMasterKey can create, modify, or delete Cloud Hooks and start Cloud...

8.6CVSS5.7AI score0.0038EPSS
CVE
CVE
added 2026/03/10 4:40 p.m.13 views

CVE-2026-30941

Parse Server exposes a NoSQL injection in token handling for password reset and email verification endpoints on deployments using MongoDB. Prior to versions 8.6.14 and 9.5.2-alpha.1, the token field is passed to database queries without type validation, enabling unauthenticated attackers to injec...

8.7CVSS5.8AI score0.00455EPSS
Total number of security vulnerabilities70