cbcvebase.

Parse-Community Parse-Server vulnerabilities

112 known vulnerabilities affecting parse-community/parse-server.

Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7

Vulnerabilities

Page 2 of 6
CVE-2026-30967P3HIGHCVSS 8.8v>= 9.0.0 < 9.5.2-alpha.9fixed in 8.6.222026-03-10
CVE-2026-30967 [HIGH] CWE-287 CVE-2026-30967: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs t
ghsanvdosv
CVE-2022-41879P3CRITICALCVSS 9.8fixed in 4.10.20v>= 5.0.0, < 5.3.32022-11-10
CVE-2022-41879 [CRITICAL] CWE-1321 CVE-2022-41879: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versio
ghsanvdosv
CVE-2025-67727P3CRITICALCVSS 9.8fixed in 8.6.0-alpha.22025-12-12
CVE-2025-67727 [CRITICAL] CWE-94 CVE-2025-67727: Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork
nvd
CVE-2022-41878P3CRITICALCVSS 9.8fixed in 4.10.192022-11-10
CVE-2022-41878 [CRITICAL] CWE-74 CVE-2022-41878: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the
ghsanvdosv
CVE-2026-31800P3CRITICALCVSS 9.1v>= 9.0.0 < 9.5.2-alpha.12fixed in 8.6.252026-03-10
CVE-2026-31800 [CRITICAL] CWE-862 CVE-2026-31800: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypas
ghsanvdosv
CVE-2026-34373P3HIGHCVSS 8.8fixed in 8.6.66v>= 9.0.0, < 9.7.0-alpha.102026-03-31
CVE-2026-34373 [HIGH] CWE-346 CVE-2026-34373: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to con
ghsanvdosv
CVE-2026-30941P3HIGHCVSS 7.5v>= 9.0.0 < 9.5.2-alpha.1fixed in 8.6.142026-03-10
CVE-2026-30941 [HIGH] CWE-943 CVE-2026-30941: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to dat
ghsanvdosv
CVE-2026-32594P3HIGHCVSS 7.3v>= 9.0.0 < 9.6.0-alpha.14fixed in 8.6.402026-03-16
CVE-2026-32594 [HIGH] CWE-306 CVE-2026-32594: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connec
ghsanvdosv
CVE-2026-33539P3HIGHCVSS 7.2fixed in 8.6.59v>= 9.0.0, < 9.6.0-alpha.532026-03-24
CVE-2026-33539 [HIGH] CWE-89 CVE-2026-33539: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the d
ghsanvdosv
CVE-2026-33538P3HIGHCVSS 7.5fixed in 8.6.58v>= 9.0.0, < 9.6.0-alpha.522026-03-24
CVE-2026-33538 [HIGH] CWE-400 CVE-2026-33538: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider
ghsanvdosv
CVE-2026-34784P3HIGHCVSS 7.5fixed in 8.6.71v>= 9.0.0, < 9.7.1-alpha.12026-03-31
CVE-2026-34784 [HIGH] CWE-285 CVE-2026-34784: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files
ghsanvdosv
CVE-2025-64430P3HIGHCVSS 7.5v>= 4.2.0, < 7.5.4v>= 8.0.0, <= 8.4.0-alpha.12025-11-07
CVE-2025-64430 [HIGH] CWE-918 CVE-2025-64430: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary
ghsanvdosv
CVE-2026-30946P3HIGHCVSS 7.5fixed in 8.6.15v>= 9.0.0 < 9.5.2-alpha.22026-03-10
CVE-2026-30946 [HIGH] CWE-770 CVE-2026-30946: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server depl
ghsanvdosv
CVE-2026-29182P3HIGHCVSS 7.2fixed in 8.6.4fixed in 9.4.1-alpha.32026-03-06
CVE-2026-29182 [HIGH] CWE-863 CVE-2026-29182: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for m
ghsanvdosv
CVE-2026-30939P3HIGHCVSS 7.5fixed in 8.6.13v>= 9.0.0 < 9.5.1-alpha.22026-03-10
CVE-2026-30939 [HIGH] CWE-1321 CVE-2026-30939: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size er
ghsanvdosv
CVE-2026-32878P3HIGHCVSS 7.5v>= 9.0.0, < 9.6.0-alpha.20fixed in 8.6.442026-03-18
CVE-2026-32878 [HIGH] CWE-1321 CVE-2026-32878: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. T
ghsanvdosv
CVE-2026-32098P3HIGHCVSS 7.5v>= 9.0.0 < 9.6.0-alpha.9fixed in 8.6.352026-03-11
CVE-2026-32098 [HIGH] CWE-200 CVE-2026-32098: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notat
ghsanvdosv
CVE-2026-32242P3HIGHCVSS 7.4v>= 9.0.0 < 9.6.0-alpha.11fixed in 8.6.372026-03-12
CVE-2026-32242 [HIGH] CWE-362 CVE-2026-32242: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers,
ghsanvdosv
CVE-2026-30229P3HIGHCVSS 7.2fixed in 8.6.6fixed in 9.5.0-alpha.42026-03-06
CVE-2026-30229 [HIGH] CWE-863 CVE-2026-30229: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. An
ghsanvdosv
CVE-2023-22474P3HIGHCVSS 8.1fixed in 5.4.12023-02-03
CVE-2023-22474 [HIGH] CWE-290 CVE-2023-22474: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client
ghsanvdosv
Parse-Community Parse-Server vulnerabilities | cvebase