Parse-Community Parse-Server vulnerabilities
112 known vulnerabilities affecting parse-community/parse-server.
Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7
Vulnerabilities
Page 6 of 6
CVE-2026-34224P4MEDIUMCVSS 4.4fixed in 8.6.64v>= 9.0.0, < 9.7.0-alpha.82026-03-31
CVE-2026-34224 [MEDIUM] CWE-367 CVE-2026-34224: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via
ghsanvdosv
CVE-2026-33527P4MEDIUMCVSS 4.3fixed in 8.6.57v>= 9.0.0, < 9.6.0-alpha.482026-03-24
CVE-2026-33527 [MEDIUM] CWE-863 CVE-2026-33527: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured sess
ghsanvdosv
CVE-2026-34595P4MEDIUMCVSS 4.3fixed in 8.6.70v>= 9.0.0, < 9.7.0-alpha.182026-03-31
CVE-2026-34595 [MEDIUM] CWE-843 CVE-2026-34595: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor opera
ghsanvdosv
CVE-2026-39381P4MEDIUMCVSS 4.3v>= 9.0.0, < 9.8.0-alpha.7v>= 7.0.0, < 8.6.752026-04-07
CVE-2026-39381 [MEDIUM] CWE-863 CVE-2026-39381: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's pro
ghsanvdosv
CVE-2026-30848P4LOWCVSS 3.7fixed in 8.6.8fixed in 9.5.0-alpha.82026-03-07
CVE-2026-30848 [LOW] CWE-22 CVE-2026-30848: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string pre
ghsanvdosv
CVE-2020-15270P4MEDIUMCVSS 4.3≤ 4.3.02020-10-22
CVE-2020-15270 [MEDIUM] CWE-672 CVE-2020-15270: Parse Server (npm package parse-server) broadcasts events to all clients without checking if the ses
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
ghsanvdosv
CVE-2026-39321P4LOWCVSS 3.7v>= 9.0.0, < 9.8.0-alpha.6fixed in 8.6.742026-04-07
CVE-2026-39321 [LOW] CWE-208 CVE-2026-39321: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the p
ghsanvdosv
CVE-2026-53724P4LOWCVSS 2.1fixed in 8.6.79v>= 9.0.0, < 9.9.1-alpha.42026-06-12
CVE-2026-53724 [LOW] CWE-79 CVE-2026-53724: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser
ghsanvd
CVE-2022-39231P4LOWCVSS 3.7fixed in 4.10.16v>= 5.0.0, < 5.2.72022-09-23
CVE-2022-39231 [LOW] CWE-287 CVE-2022-39231: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter whe
ghsanvdosv
CVE-2026-32943P4LOWCVSS 3.1v>= 9.0.0, < 9.6.0-alpha.28fixed in 8.6.482026-03-18
CVE-2026-32943 [LOW] CWE-367 CVE-2026-32943: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time w
ghsanvdosv
CVE-2026-33624P4LOWCVSS 2.7fixed in 8.6.60v>= 9.0.0, < 9.6.0-alpha.542026-03-24
CVE-2026-33624 [LOW] CWE-367 CVE-2026-33624: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design o
ghsanvdosv
CVE-2022-39225P4LOWCVSS 3.1fixed in 4.10.15v>= 5.0.0, < 5.2.62022-09-23
CVE-2022-39225 [LOW] CWE-669 CVE-2022-39225: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the `use
ghsanvdosv
← Previous6 / 6