Parseplatform Parse-Server vulnerabilities
101 known vulnerabilities affecting parseplatform/parse-server.
Total CVEs
101
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH40MEDIUM36LOW6
Vulnerabilities
Page 5 of 6
CVE-2026-30835P4MEDIUMCVSS 5.3fixed in 8.6.7≥ 9.0.0, < 9.5.0+1 more2026-03-06
CVE-2026-30835 [MEDIUM] CWE-209 CVE-2026-30835: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messag
nvd
CVE-2026-31868P4MEDIUMCVSS 6.1fixed in 8.6.30≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-31868 [MEDIUM] CWE-79 CVE-2026-31868: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for e
nvd
CVE-2026-33429P4MEDIUMCVSS 5.3fixed in 8.6.54≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33429 [MEDIUM] CWE-203 CVE-2026-33429: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update
nvd
CVE-2026-35200P4MEDIUMCVSS 5.4fixed in 8.6.73≥ 9.0.0, < 9.7.1+1 more2026-04-06
CVE-2026-35200 [MEDIUM] CWE-436 CVE-2026-35200: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed
nvd
CVE-2026-31901P4MEDIUMCVSS 5.3fixed in 8.6.34≥ 9.0.0, < 9.6.0+1 more2026-03-11
CVE-2026-31901 [MEDIUM] CWE-204 CVE-2026-31901: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker
nvd
CVE-2025-68115P4MEDIUMCVSS 6.1fixed in 8.6.1v9.0.0+1 more2025-12-16
CVE-2025-68115 [MEDIUM] CWE-79 CVE-2025-68115: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user con
nvd
CVE-2026-30948P4MEDIUMCVSS 5.4fixed in 8.6.17≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-30948 [MEDIUM] CWE-79 CVE-2026-30948: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective header
nvd
CVE-2026-32742P4MEDIUMCVSS 4.3fixed in 8.6.42≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32742 [MEDIUM] CWE-915 CVE-2026-32742: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's se
nvd
CVE-2019-1020013P4MEDIUMCVSS 5.3fixed in 3.6.02019-07-29
CVE-2019-1020013 [MEDIUM] CWE-209 CVE-2019-1020013: parse-server before 3.6.0 allows account enumeration.
parse-server before 3.6.0 allows account enumeration.
nvd
CVE-2020-5251P4MEDIUMCVSS 5.3fixed in 4.1.02020-03-04
CVE-2020-5251 [MEDIUM] CWE-285 CVE-2020-5251: In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the No
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
nvd
CVE-2026-34224P4MEDIUMCVSS 4.4fixed in 8.6.64≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34224 [MEDIUM] CWE-367 CVE-2026-34224: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via
nvd
CVE-2026-33527P4MEDIUMCVSS 4.3fixed in 8.6.57≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33527 [MEDIUM] CWE-863 CVE-2026-33527: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured sess
nvd
CVE-2026-34595P4MEDIUMCVSS 4.3fixed in 8.6.70≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34595 [MEDIUM] CWE-843 CVE-2026-34595: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor opera
nvd
CVE-2026-39381P4MEDIUMCVSS 4.3fixed in 8.6.75≥ 9.0.0, < 9.8.0+1 more2026-04-07
CVE-2026-39381 [MEDIUM] CWE-863 CVE-2026-39381: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's pro
nvd
CVE-2026-30848P4LOWCVSS 3.7fixed in 8.6.8≥ 9.0.0, < 9.5.0+1 more2026-03-07
CVE-2026-30848 [LOW] CWE-22 CVE-2026-30848: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string pre
nvd
CVE-2020-15270P4MEDIUMCVSS 4.3≤ 4.3.02020-10-22
CVE-2020-15270 [MEDIUM] CWE-672 CVE-2020-15270: Parse Server (npm package parse-server) broadcasts events to all clients without checking if the ses
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.
nvd
CVE-2026-39321P4LOWCVSS 3.7fixed in 8.6.74≥ 9.0.0, < 9.8.0+1 more2026-04-07
CVE-2026-39321 [LOW] CWE-208 CVE-2026-39321: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the p
nvd
CVE-2022-39231P4LOWCVSS 3.7fixed in 4.10.16≥ 5.0.0, < 5.2.72022-09-23
CVE-2022-39231 [LOW] CWE-287 CVE-2022-39231: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter whe
nvd
CVE-2026-32943P4LOWCVSS 3.1fixed in 8.6.48≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32943 [LOW] CWE-367 CVE-2026-32943: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time w
nvd
CVE-2026-33624P4LOWCVSS 2.7fixed in 8.6.60≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33624 [LOW] CWE-367 CVE-2026-33624: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design o
nvd