Parse-Community Parse-Server vulnerabilities
112 known vulnerabilities affecting parse-community/parse-server.
Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7
Vulnerabilities
Page 5 of 6
CVE-2026-53725P3MEDIUMCVSS 5.9v>= 9.8.0, < 9.9.1-alpha.52026-06-12
CVE-2026-53725 [MEDIUM] CWE-200 CVE-2026-53725: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the us
ghsanvd
CVE-2026-43930P4MEDIUMCVSS 5.9v>= 9.0.0, < 9.9.0-alpha.2fixed in 8.6.762026-05-12
CVE-2026-43930 [MEDIUM] CWE-362 CVE-2026-43930: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use proper
nvd
CVE-2026-30228P4MEDIUMCVSS 4.9fixed in 8.6.5fixed in 9.5.0-alpha.32026-03-06
CVE-2026-30228 [MEDIUM] CWE-863 CVE-2026-30228: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of
ghsanvdosv
CVE-2020-15126P4MEDIUMCVSS 6.5v>= 3.5.0, < 4.3.02020-07-22
CVE-2020-15126 [MEDIUM] CWE-863 CVE-2020-15126: In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
ghsanvdosv
CVE-2026-30938P4MEDIUMCVSS 5.3fixed in 8.6.12v>= 9.0.0 < 9.5.1-alpha.12026-03-10
CVE-2026-30938 [MEDIUM] CWE-693 CVE-2026-30938: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys
ghsanvdosv
CVE-2026-34363P4MEDIUMCVSS 5.3fixed in 8.6.65v>= 9.0.0, < 9.7.0-alpha.92026-03-31
CVE-2026-34363 [MEDIUM] CWE-362 CVE-2026-34363: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared obje
ghsanvdosv
CVE-2026-33323P4MEDIUMCVSS 5.3fixed in 8.6.51v>= 9.0.0, < 9.6.0-alpha.402026-03-24
CVE-2026-33323 [MEDIUM] CWE-204 CVE-2026-33323: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This all
ghsanvdosv
CVE-2026-34574P4MEDIUMCVSS 5.4fixed in 8.6.69v>= 9.0.0, < 9.7.0-alpha.142026-03-31
CVE-2026-34574 [MEDIUM] CWE-697 CVE-2026-34574: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the ses
ghsanvdosv
CVE-2026-30854P4MEDIUMCVSS 5.3v>= 9.3.1-alpha.3, < 9.5.0-alpha.102026-03-07
CVE-2026-30854 [MEDIUM] CWE-863 CVE-2026-30854: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing
ghsanvdosv
CVE-2026-33042P4MEDIUMCVSS 5.3v>= 9.0.0, < 9.6.0-alpha.29fixed in 8.6.492026-03-18
CVE-2026-33042 [MEDIUM] CWE-287 CVE-2026-33042: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credenti
ghsanvdosv
CVE-2026-32234P4MEDIUMCVSS 4.7v>= 9.0.0 < 9.6.0-alpha.10fixed in 8.6.362026-03-11
CVE-2026-32234 [MEDIUM] CWE-89 CVE-2026-32234: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex que
ghsanvdosv
CVE-2026-30835P4MEDIUMCVSS 5.3fixed in 8.6.7fixed in 9.5.0-alpha.62026-03-06
CVE-2026-30835 [MEDIUM] CWE-209 CVE-2026-30835: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messag
ghsanvdosv
CVE-2026-31868P4MEDIUMCVSS 6.1v>= 9.0.0 < 9.6.0-alpha.4fixed in 8.6.302026-03-11
CVE-2026-31868 [MEDIUM] CWE-79 CVE-2026-31868: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for e
ghsanvdosv
CVE-2026-33429P4MEDIUMCVSS 5.3fixed in 8.6.54v>= 9.0.0, < 9.6.0-alpha.432026-03-24
CVE-2026-33429 [MEDIUM] CWE-203 CVE-2026-33429: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update
ghsanvdosv
CVE-2026-35200P4MEDIUMCVSS 5.4v>= 9.0.0, < 9.7.1-alpha.4fixed in 8.6.732026-04-06
CVE-2026-35200 [MEDIUM] CWE-436 CVE-2026-35200: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed
ghsanvdosv
CVE-2026-31901P4MEDIUMCVSS 5.3v>= 9.0.0 < 9.6.0-alpha.8fixed in 8.6.342026-03-11
CVE-2026-31901 [MEDIUM] CWE-204 CVE-2026-31901: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker
ghsanvdosv
CVE-2025-68115P4MEDIUMCVSS 6.1fixed in 8.6.1v>= 9.0.0, < 9.1.0-alpha.32025-12-16
CVE-2025-68115 [MEDIUM] CWE-79 CVE-2025-68115: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user con
ghsanvdosv
CVE-2026-30948P4MEDIUMCVSS 5.4v>= 9.0.0 < 9.5.2-alpha.4fixed in 8.6.172026-03-10
CVE-2026-30948 [MEDIUM] CWE-79 CVE-2026-30948: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective header
ghsanvdosv
CVE-2026-32742P4MEDIUMCVSS 4.3v>= 9.0.0, < 9.6.0-alpha.17fixed in 8.6.422026-03-18
CVE-2026-32742 [MEDIUM] CWE-915 CVE-2026-32742: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's se
ghsanvdosv
CVE-2020-5251P4MEDIUMCVSS 5.3fixed in 4.1.02020-03-04
CVE-2020-5251 [MEDIUM] CWE-285 CVE-2020-5251: In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the No
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
ghsanvdosv