cbcvebase.

Parseplatform Parse-Server vulnerabilities

101 known vulnerabilities affecting parseplatform/parse-server.

Total CVEs
101
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH40MEDIUM36LOW6

Vulnerabilities

Page 2 of 6
CVE-2022-41878P3CRITICALCVSS 9.8fixed in 4.10.19≥ 5.0.0, < 5.3.22022-11-10
CVE-2022-41878 [CRITICAL] CWE-74 CVE-2022-41878: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the
nvd
CVE-2026-31800P3CRITICALCVSS 9.1fixed in 8.6.25≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-31800 [CRITICAL] CWE-862 CVE-2026-31800: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypas
nvd
CVE-2026-34373P3HIGHCVSS 8.8≥ 3.5.0, < 8.6.66≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34373 [HIGH] CWE-346 CVE-2026-34373: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to con
nvd
CVE-2026-30941P3HIGHCVSS 7.5fixed in 8.6.14≥ 9.0.0, < 9.5.22026-03-10
CVE-2026-30941 [HIGH] CWE-943 CVE-2026-30941: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to dat
nvd
CVE-2026-32594P3HIGHCVSS 7.3fixed in 8.6.40≥ 9.0.0, < 9.6.0+1 more2026-03-16
CVE-2026-32594 [HIGH] CWE-306 CVE-2026-32594: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connec
nvd
CVE-2026-33539P3HIGHCVSS 7.2fixed in 8.6.59≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33539 [HIGH] CWE-89 CVE-2026-33539: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the d
nvd
CVE-2026-33538P3HIGHCVSS 7.5fixed in 8.6.58≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33538 [HIGH] CWE-400 CVE-2026-33538: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider
nvd
CVE-2026-34784P3HIGHCVSS 7.5fixed in 8.6.71≥ 9.0.0, < 9.7.12026-03-31
CVE-2026-34784 [HIGH] CWE-285 CVE-2026-34784: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files
nvd
CVE-2026-30946P3HIGHCVSS 7.5fixed in 8.6.15≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-30946 [HIGH] CWE-770 CVE-2026-30946: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server depl
nvd
CVE-2026-29182P3HIGHCVSS 7.2fixed in 8.6.4≥ 9.0.0, ≤ 9.4.0+1 more2026-03-06
CVE-2026-29182 [HIGH] CWE-863 CVE-2026-29182: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for m
nvd
CVE-2026-30939P3HIGHCVSS 7.5fixed in 8.6.13≥ 9.0.0, < 9.5.1+1 more2026-03-10
CVE-2026-30939 [HIGH] CWE-1321 CVE-2026-30939: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size er
nvd
CVE-2026-32878P3HIGHCVSS 7.5fixed in 8.6.44≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32878 [HIGH] CWE-1321 CVE-2026-32878: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. T
nvd
CVE-2026-32098P3HIGHCVSS 7.5fixed in 8.6.35≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-32098 [HIGH] CWE-200 CVE-2026-32098: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notat
nvd
CVE-2026-32242P3HIGHCVSS 7.4fixed in 8.6.37≥ 9.0.0, < 9.6.0+1 more2026-03-12
CVE-2026-32242 [HIGH] CWE-362 CVE-2026-32242: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers,
nvd
CVE-2026-30229P3HIGHCVSS 7.2fixed in 8.6.6≥ 9.0.0, ≤ 9.4.1+1 more2026-03-06
CVE-2026-30229 [HIGH] CWE-863 CVE-2026-30229: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. An
nvd
CVE-2023-22474P3HIGHCVSS 8.1fixed in 5.4.12023-02-03
CVE-2023-22474 [HIGH] CWE-290 CVE-2023-22474: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client
nvd
CVE-2023-41058P3HIGHCVSS 7.5fixed in 5.5.5≥ 6.0.0, < 6.2.22023-09-04
CVE-2023-41058 [HIGH] CWE-670 CVE-2023-41058: Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeF Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the intern
nvd
CVE-2026-34573P3HIGHCVSS 7.5fixed in 8.6.68≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34573 [HIGH] CWE-407 CVE-2026-34573: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js
nvd
CVE-2026-33498P3HIGHCVSS 7.5fixed in 8.6.55≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33498 [HIGH] CVE-2026-33498: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be ma
ghsanvdosv
CVE-2026-31872P3HIGHCVSS 7.5fixed in 8.6.32≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-31872 [HIGH] CWE-284 CVE-2026-31872: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field,
nvd
Parseplatform Parse-Server vulnerabilities | cvebase