cbcvebase.

Parseplatform Parse-Server vulnerabilities

101 known vulnerabilities affecting parseplatform/parse-server.

Total CVEs
101
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH40MEDIUM36LOW6

Vulnerabilities

Page 4 of 6
CVE-2026-30962P3MEDIUMCVSS 6.5fixed in 8.6.19≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-30962 [MEDIUM] CWE-284 CVE-2026-30962: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated u
nvd
CVE-2026-32269P3MEDIUMCVSS 6.5≥ 8.0.2, < 8.6.39≥ 9.0.0, < 9.6.0+1 more2026-03-12
CVE-2026-32269 [MEDIUM] CWE-683 CVE-2026-32269: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of
nvd
CVE-2022-39313P3HIGHCVSS 7.5fixed in 4.10.17≥ 5.0.0, < 5.2.82022-10-24
CVE-2022-39313 [HIGH] CWE-1284 CVE-2022-39313: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no k
nvd
CVE-2026-33163P3MEDIUMCVSS 6.5fixed in 8.6.50≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-33163 [MEDIUM] CWE-200 CVE-2026-33163: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-L
nvd
CVE-2023-46119P3HIGHCVSS 7.5≥ 1.0.0, < 5.5.6≥ 6.0.0, < 6.3.12023-10-25
CVE-2023-46119 [HIGH] CWE-23 CVE-2023-46119: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
nvd
CVE-2021-39138P3MEDIUMCVSS 6.5fixed in 4.5.12021-08-19
CVE-2021-39138 [MEDIUM] CWE-287 CVE-2021-39138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the `authProvider` field
nvd
CVE-2020-26288P3MEDIUMCVSS 6.5fixed in 4.5.02020-12-30
CVE-2020-26288 [MEDIUM] CWE-312 CVE-2020-26288: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext passw
nvd
CVE-2023-32689P3MEDIUMCVSS 6.5fixed in 5.4.4≥ 6.0.0, < 6.1.12023-05-30
CVE-2023-32689 [MEDIUM] CWE-434 CVE-2023-32689: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessi
nvd
CVE-2026-30850P3MEDIUMCVSS 5.9fixed in 8.6.9≥ 9.0.0, < 9.5.0+1 more2026-03-07
CVE-2026-30850 [MEDIUM] CWE-862 CVE-2026-30850: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasse
nvd
CVE-2019-1020012P3HIGHCVSS 7.5fixed in 3.4.12019-07-29
CVE-2019-1020012 [HIGH] CWE-444 CVE-2019-1020012: parse-server before 3.4.1 allows DoS after any POST to a volatile class. parse-server before 3.4.1 allows DoS after any POST to a volatile class.
nvd
CVE-2026-31875P3MEDIUMCVSS 5.9fixed in 8.6.33≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-31875 [MEDIUM] CWE-672 CVE-2026-31875: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP toke
nvd
CVE-2026-43930P4MEDIUMCVSS 5.9fixed in 8.6.76≥ 9.0.0, < 9.9.0+1 more2026-05-12
CVE-2026-43930 [MEDIUM] CWE-362 CVE-2026-43930: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use proper
nvd
CVE-2026-30228P4MEDIUMCVSS 4.9fixed in 8.6.5≥ 9.0.0, ≤ 9.4.1+1 more2026-03-06
CVE-2026-30228 [MEDIUM] CWE-863 CVE-2026-30228: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of
nvd
CVE-2026-30938P4MEDIUMCVSS 5.3fixed in 8.6.12≥ 9.0.0, < 9.5.12026-03-10
CVE-2026-30938 [MEDIUM] CWE-693 CVE-2026-30938: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys
nvd
CVE-2026-34363P4MEDIUMCVSS 5.3fixed in 8.6.65≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34363 [MEDIUM] CWE-362 CVE-2026-34363: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared obje
nvd
CVE-2026-33323P4MEDIUMCVSS 5.3fixed in 8.6.51≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33323 [MEDIUM] CWE-204 CVE-2026-33323: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This all
nvd
CVE-2026-34574P4MEDIUMCVSS 5.4fixed in 8.6.69≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34574 [MEDIUM] CWE-697 CVE-2026-34574: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the ses
nvd
CVE-2026-30854P4MEDIUMCVSS 5.3≥ 9.4.0, < 9.5.0v9.3.1+1 more2026-03-07
CVE-2026-30854 [MEDIUM] CWE-863 CVE-2026-30854: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing
nvd
CVE-2026-33042P4MEDIUMCVSS 5.3fixed in 8.6.49≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-33042 [MEDIUM] CWE-287 CVE-2026-33042: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credenti
nvd
CVE-2026-32234P4MEDIUMCVSS 4.7fixed in 8.6.36≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-32234 [MEDIUM] CWE-89 CVE-2026-32234: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex que
nvd