cbcvebase.

Parse-Community Parse-Server vulnerabilities

112 known vulnerabilities affecting parse-community/parse-server.

Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7

Vulnerabilities

Page 1 of 6
CVE-2025-53364P2MEDIUMCVSS 5.3ExploitedPoCv>= 5.3.0, < 7.5.3v>= 8.0.0, < 8.2.22025-07-10
CVE-2025-53364 [MEDIUM] CWE-497 CVE-2025-53364: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual
ghsanvdosv
CVE-2022-24760P1CRITICALCVSS 10.0fixed in 4.10.72022-03-12
CVE-2022-24760 [CRITICAL] CWE-74 CVE-2022-24760: Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remot Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js
ghsanvdosv
CVE-2022-39396P2CRITICALCVSS 9.8fixed in 4.10.18v>= 5.0.0, < 5.3.12022-11-10
CVE-2022-39396 [CRITICAL] CWE-1321 CVE-2022-39396: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON pars
ghsanvdosv
CVE-2024-39309P2CRITICALCVSS 9.8fixed in 6.5.7v>= 7.0.0, < 7.1.02024-07-01
CVE-2024-39309 [CRITICAL] CWE-89 CVE-2024-39309: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds ar
ghsanvdosv
CVE-2026-32248P2CRITICALCVSS 9.8v>= 9.0.0, < 9.6.0-alpha.12fixed in 8.6.382026-03-12
CVE-2026-32248 [CRITICAL] CWE-943 CVE-2026-32248: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending
ghsanvdosv
CVE-2026-30966P2CRITICALCVSS 10.0v>= 9.0.0 < 9.5.2-alpha.7fixed in 8.6.202026-03-10
CVE-2026-30966 [CRITICAL] CWE-284 CVE-2026-30966: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key
ghsanvdosv
CVE-2026-33409P2CRITICALCVSS 9.1fixed in 8.6.52v>= 9.0.0, < 9.6.0-alpha.412026-03-24
CVE-2026-33409 [CRITICAL] CWE-287 CVE-2026-33409: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to
ghsanvdosv
CVE-2026-27804P2CRITICALCVSS 9.1v>= 9.0.0, < 9.3.1-alpha.4fixed in 8.6.32026-02-26
CVE-2026-27804 [CRITICAL] CWE-327 CVE-2026-27804: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google au
ghsanvdosv
CVE-2026-31871P2CRITICALCVSS 9.8v>= 9.0.0 < 9.6.0-alpha.5fixed in 8.6.312026-03-11
CVE-2026-31871 [CRITICAL] CWE-89 CVE-2026-31871: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated dire
ghsanvdosv
CVE-2023-36475P2CRITICALCVSS 9.8fixed in 5.5.2v>= 6.0.0, < 6.2.12023-06-28
CVE-2023-36475 [CRITICAL] CWE-1321 CVE-2023-36475: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.
ghsanvdosv
CVE-2024-27298P2CRITICALCVSS 10.0fixed in 6.5.0v>= 7.0.0-alpha.1, < 7.0.0-alpha.202024-03-01
CVE-2024-27298 [CRITICAL] CWE-89 CVE-2024-27298: parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when P parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
ghsanvdosv
CVE-2026-31856P2CRITICALCVSS 9.8v>= 9.0.0 < 9.6.0-alpha.3fixed in 8.6.292026-03-11
CVE-2026-31856 [CRITICAL] CWE-89 CVE-2026-31856: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without par
ghsanvdosv
CVE-2026-34532P2CRITICALCVSS 9.1fixed in 8.6.67v>= 9.0.0, < 9.7.0-alpha.112026-03-31
CVE-2026-34532 [CRITICAL] CWE-863 CVE-2026-34532: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keywo
ghsanvdosv
CVE-2026-30863P2CRITICALCVSS 9.8fixed in 8.6.10fixed in 9.5.0-alpha.112026-03-07
CVE-2026-30863 [CRITICAL] CWE-287 CVE-2026-30863: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds
ghsanvdosv
CVE-2026-30949P2HIGHCVSS 8.8v>= 9.0.0 < 9.5.2-alpha.5fixed in 8.6.182026-03-10
CVE-2026-30949 [HIGH] CWE-287 CVE-2026-30949: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a differ
ghsanvdosv
CVE-2024-29027P2CRITICALCVSS 9.0fixed in 6.5.5v>= 7.0.0-alpha.1, < 7.0.0-alpha.292024-03-19
CVE-2024-29027 [CRITICAL] CWE-74 CVE-2024-29027: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5
ghsanvdosv
CVE-2026-31828P3HIGHCVSS 8.8v>= 9.0.0 < 9.5.2-alpha.13fixed in 8.6.262026-03-10
CVE-2026-31828 [HIGH] CWE-90 CVE-2026-31828: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special chara
ghsanvdosv
CVE-2026-47138P2HIGHCVSS 8.7fixed in 8.6.77v>= 9.0.0, < 9.9.1-alpha.12026-06-12
CVE-2026-47138 [HIGH] CWE-1333 CVE-2026-47138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking
nvd
CVE-2026-31840P3CRITICALCVSS 9.8v>= 9.0.0 < 9.6.0-alpha.2fixed in 8.6.282026-03-11
CVE-2026-31840 [CRITICAL] CWE-89 CVE-2026-31840: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The
ghsanvdosv
CVE-2026-30965P3CRITICALCVSS 9.1v>= 9.0.0 < 9.5.2-alpha.8fixed in 8.6.212026-03-10
CVE-2026-30965 [CRITICAL] CWE-863 CVE-2026-30965: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfilt
ghsanvdosv
Parse-Community Parse-Server vulnerabilities | cvebase