CVE-2026-30848
published 2026-03-07CVE-2026-30848: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the…
PriorityP421low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.31%
22.9th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.8 | 8.6.8 |
| parse-community | parse-server | < 9.5.0-alpha.8 | 9.5.0-alpha.8 |
| parse-community | parse-server | >= 0 < 8.6.8 | 8.6.8 |
| parse-community | parse-server | >= 9.0.0-alpha.1 < 9.5.0-alpha.8 | 9.5.0-alpha.8 |
| parseplatform | parse-server | < 8.6.8 | 8.6.8 |
| parseplatform | parse-server | — | — |
| parseplatform | parse-server | >= 9.0.0 < 9.5.0 | 9.5.0 |
| pimcore | pimcore | >= 0 < 11.5.14 | 11.5.14 |
| pimcore | pimcore | >= 12.0.0-RC1 < 12.3.1 | 12.3.1 |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
osv·2026-03-09
CVE-2026-30848 [MEDIUM] Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
### Impact
The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`).
This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory nam
GHSA
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
ghsa·2026-03-09
CVE-2026-30848 [MEDIUM] CWE-22 Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
### Impact
The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`).
This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory nam
GHSA
Pimcore Has an Incomplete Patch for CVE-2023-30848
ghsa·2026-01-14·CVSS 8.8
CVE-2026-23492 [HIGH] CWE-89 Pimcore Has an Incomplete Patch for CVE-2023-30848
Pimcore Has an Incomplete Patch for CVE-2023-30848
### Summary
An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**.
Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**.
### Details
The vulnerability exists in the Admin Search Find API endpoint:
```
/admin/search/search/find
```
In CVE-2023-30848, the following patch was applied:
- SQL comments are removed by replacing `--`
- SQL syntax errors are ca
No detection rules found.
No public exploits indexed.
2026-03-07
Published