Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/375232?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/375232?format=api", "purl": "pkg:npm/parse-server@8.6.54", "type": "npm", "namespace": "", "name": "parse-server", "version": "8.6.54", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.6.76", "latest_non_vulnerable_version": "9.9.1-alpha.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72869?format=api", "vulnerability_id": "VCID-14fp-bjdd-uffh", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08572", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08613", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08617", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10074", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10406", "reference_id": "10406", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10406" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10407", "reference_id": "10407", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10407" }, { "reference_url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "GHSA-g4v2-qx3q-4p64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "GHSA-g4v2-qx3q-4p64", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374063?format=api", "purl": "pkg:npm/parse-server@8.6.75", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.75" }, { "url": "http://public2.vulnerablecode.io/api/packages/374062?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.7" } ], "aliases": [ "CVE-2026-39381", "GHSA-g4v2-qx3q-4p64" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-14fp-bjdd-uffh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78310?format=api", "vulnerability_id": "VCID-2rxm-qxur-9ygu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09911", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09951", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0996", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09965", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10275", "reference_id": "10275", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10275" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10276", "reference_id": "10276", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10276" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_id": "5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_id": "fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c" }, { "reference_url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375145?format=api", "purl": "pkg:npm/parse-server@8.6.60", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.60" }, { "url": "http://public2.vulnerablecode.io/api/packages/375144?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54" } ], "aliases": [ "CVE-2026-33624", "GHSA-2299-ghjr-6vjp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2rxm-qxur-9ygu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75115?format=api", "vulnerability_id": "VCID-49m3-j488-yqes", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06235", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06228", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06257", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06245", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263", "reference_id": "0347641507891d0013ec57f7c10f012064f41263", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10334", "reference_id": "10334", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10334" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10335", "reference_id": "10335", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10335" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_id": "4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203" }, { "reference_url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374641?format=api", "purl": "pkg:npm/parse-server@8.6.66", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.66" }, { "url": "http://public2.vulnerablecode.io/api/packages/374640?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10" } ], "aliases": [ "CVE-2026-34373", "GHSA-q3p6-g7c4-829c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-49m3-j488-yqes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75119?format=api", "vulnerability_id": "VCID-7jbf-hw56-9bcx", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04657", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04677", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04679", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04665", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10326", "reference_id": "10326", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10326" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10327", "reference_id": "10327", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10327" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "reference_id": "661f160edac8daac0486bc94413cf9652876ab92", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_id": "e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf" }, { "reference_url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374818?format=api", "purl": "pkg:npm/parse-server@8.6.64", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.64" }, { "url": "http://public2.vulnerablecode.io/api/packages/374817?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8" } ], "aliases": [ "CVE-2026-34224", "GHSA-w73w-g5xw-rwhf" ], "risk_score": 2.0, "exploitability": "0.5", "weighted_severity": "4.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbf-hw56-9bcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74997?format=api", "vulnerability_id": "VCID-cbrh-vg1p-3ua7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1263", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12707", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12722", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12729", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10350", "reference_id": "10350", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10350" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10351", "reference_id": "10351", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10351" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_id": "f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_id": "ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2" }, { "reference_url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373556?format=api", "purl": "pkg:npm/parse-server@8.6.70", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.70" }, { "url": "http://public2.vulnerablecode.io/api/packages/373555?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16" } ], "aliases": [ "CVE-2026-34595", "GHSA-mmg8-87c5-jrc2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbrh-vg1p-3ua7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65541?format=api", "vulnerability_id": "VCID-dhkw-d15h-rkb5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01108", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01301", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01106", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01296", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10448", "reference_id": "10448", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10448" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10449", "reference_id": "10449", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10449" }, { "reference_url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375442?format=api", "purl": "pkg:npm/parse-server@8.6.76", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.76" }, { "url": "http://public2.vulnerablecode.io/api/packages/375441?format=api", "purl": "pkg:npm/parse-server@9.9.0-alpha.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2" } ], "aliases": [ "CVE-2026-43930", "GHSA-jpq4-7fmq-q5fj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dhkw-d15h-rkb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73029?format=api", "vulnerability_id": "VCID-dyd6-6yy1-hyhn", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09019", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0907", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09067", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09485", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10398", "reference_id": "10398", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10398" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10399", "reference_id": "10399", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10399" }, { "reference_url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373414?format=api", "purl": "pkg:npm/parse-server@8.6.74", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.74" }, { "url": "http://public2.vulnerablecode.io/api/packages/373413?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6" } ], "aliases": [ "CVE-2026-39321", "GHSA-mmpq-5hcv-hf2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dyd6-6yy1-hyhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75142?format=api", "vulnerability_id": "VCID-gngn-8vy6-bkg7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24728", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24923", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.2494", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24927", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10323", "reference_id": "10323", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10323" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10324", "reference_id": "10324", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10324" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "reference_id": "770be8647424d92f5425c41fa81065ffbbb171ed", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_id": "a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c" }, { "reference_url": "https://github.com/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wp76-gg32-8258" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374847?format=api", "purl": "pkg:npm/parse-server@8.6.63", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.63" }, { "url": "http://public2.vulnerablecode.io/api/packages/374846?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7" } ], "aliases": [ "CVE-2026-34215", "GHSA-wp76-gg32-8258" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gngn-8vy6-bkg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75150?format=api", "vulnerability_id": "VCID-hs5q-jk5r-7ya8", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0685", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06848", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06862", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06874", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10330", "reference_id": "10330", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10330" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10331", "reference_id": "10331", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10331" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b", "reference_id": "5834e29234593addaa0251a85f572ad4f376320b", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055", "reference_id": "776c71c3078e77d38c94937f463741793609d055", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055" }, { "reference_url": "https://github.com/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m983-v2ff-wq65" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374705?format=api", "purl": "pkg:npm/parse-server@8.6.65", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.65" }, { "url": "http://public2.vulnerablecode.io/api/packages/374704?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9" } ], "aliases": [ "CVE-2026-34363", "GHSA-m983-v2ff-wq65" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5q-jk5r-7ya8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78078?format=api", "vulnerability_id": "VCID-mdgb-p4u1-uud5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02576", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02569", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02579", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10263", "reference_id": "10263", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10264", "reference_id": "10264", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10264" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_id": "26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_id": "ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984" }, { "reference_url": "https://github.com/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc39-686j-wp6q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374688?format=api", "purl": "pkg:npm/parse-server@8.6.57", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.57" }, { "url": "http://public2.vulnerablecode.io/api/packages/374687?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48" } ], "aliases": [ "CVE-2026-33527", "GHSA-jc39-686j-wp6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mdgb-p4u1-uud5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74879?format=api", "vulnerability_id": "VCID-mm7p-maf1-eyhq", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1263", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12707", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12722", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12729", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10347", "reference_id": "10347", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10347" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10348", "reference_id": "10348", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10348" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_id": "90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "reference_id": "ebccd7fe2708007e62f705ee1c820a6766178777", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777" }, { "reference_url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373426?format=api", "purl": "pkg:npm/parse-server@8.6.69", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.69" }, { "url": "http://public2.vulnerablecode.io/api/packages/373425?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14" } ], "aliases": [ "CVE-2026-34574", "GHSA-f6j3-w9v3-cq22" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7p-maf1-eyhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77818?format=api", "vulnerability_id": "VCID-mxgt-92ep-73fj", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34156", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34337", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34358", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34333", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10270", "reference_id": "10270", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10270" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10271", "reference_id": "10271", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10271" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357", "reference_id": "40eb442e02672986730007d0a1edb22c1c4bd357", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_id": "fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54" }, { "reference_url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374907?format=api", "purl": "pkg:npm/parse-server@8.6.58", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.58" }, { "url": "http://public2.vulnerablecode.io/api/packages/374906?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52" } ], "aliases": [ "CVE-2026-33538", "GHSA-g4cf-xj29-wqqr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mxgt-92ep-73fj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74749?format=api", "vulnerability_id": "VCID-n4s7-6vvk-skfz", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05341", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05343", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05353", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05359", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10344", "reference_id": "10344", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10344" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10345", "reference_id": "10345", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10345" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295", "reference_id": "ea15412795f34594cc8a674fe858d445675e0295", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b", "reference_id": "f759bda075298ec44e2b4fb57659a0c56620483b", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b" }, { "reference_url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374810?format=api", "purl": "pkg:npm/parse-server@8.6.68", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.68" }, { "url": "http://public2.vulnerablecode.io/api/packages/374809?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12" } ], "aliases": [ "CVE-2026-34573", "GHSA-mfj6-6p54-m98c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4s7-6vvk-skfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78070?format=api", "vulnerability_id": "VCID-nqev-h9w8-pudy", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12016", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12088", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12109", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12108", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "10278", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "10279", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374932?format=api", "purl": "pkg:npm/parse-server@8.6.61", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.61" }, { "url": "http://public2.vulnerablecode.io/api/packages/374931?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.55", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55" } ], "aliases": [ "CVE-2026-33627", "GHSA-37mj-c2wf-cx96" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqev-h9w8-pudy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71781?format=api", "vulnerability_id": "VCID-nt51-v9gk-w3e8", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09965", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.10014", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11654", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11677", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10383", "reference_id": "10383", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10383" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10384", "reference_id": "10384", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10384" }, { "reference_url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374117?format=api", "purl": "pkg:npm/parse-server@8.6.73", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.73" }, { "url": "http://public2.vulnerablecode.io/api/packages/374116?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4" } ], "aliases": [ "CVE-2026-35200", "GHSA-vr5f-2r24-w5hc" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nt51-v9gk-w3e8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75005?format=api", "vulnerability_id": "VCID-vmwk-3myb-u7ds", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03955", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0396", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03971", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "reference_id": "053109b3ee71815bc39ed84116c108ff9edbf337", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10361", "reference_id": "10361", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10361" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10362", "reference_id": "10362", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10362" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_id": "a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22" }, { "reference_url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374144?format=api", "purl": "pkg:npm/parse-server@8.6.71", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.71" }, { "url": "http://public2.vulnerablecode.io/api/packages/374143?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1" } ], "aliases": [ "CVE-2026-34784", "GHSA-hpm8-9qx6-jvwv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vmwk-3myb-u7ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78118?format=api", "vulnerability_id": "VCID-wqxc-qnu8-q7d7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07139", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07161", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07166", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_id": "03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10272", "reference_id": "10272", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10272" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10273", "reference_id": "10273", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10273" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_id": "bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e" }, { "reference_url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374808?format=api", "purl": "pkg:npm/parse-server@8.6.59", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.59" }, { "url": "http://public2.vulnerablecode.io/api/packages/374807?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.53", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53" } ], "aliases": [ "CVE-2026-33539", "GHSA-p2w6-rmh7-w8q3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wqxc-qnu8-q7d7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75237?format=api", "vulnerability_id": "VCID-zx4t-zth8-7fe5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending \"prototype.constructor\" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13654", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13742", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13771", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10342", "reference_id": "10342", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10342" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10343", "reference_id": "10343", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10343" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7", "reference_id": "4fc48cf28f22eea200d74d883505f485234a48d7", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_id": "dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674" }, { "reference_url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374868?format=api", "purl": "pkg:npm/parse-server@8.6.67", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.67" }, { "url": "http://public2.vulnerablecode.io/api/packages/374867?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11" } ], "aliases": [ "CVE-2026-34532", "GHSA-vpj2-qq7w-5qq6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zx4t-zth8-7fe5" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78114?format=api", "vulnerability_id": "VCID-e84c-36en-wqaa", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03023", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03032", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03021", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03036", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_id": "0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10253", "reference_id": "10253", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10253" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10254", "reference_id": "10254", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10254" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67", "reference_id": "c62eacaf38de86913f09240583448360b1cc8e67", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67" }, { "reference_url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375232?format=api", "purl": "pkg:npm/parse-server@8.6.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54" }, { "url": "http://public2.vulnerablecode.io/api/packages/40396?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-8cct-wkqq-nqdm" }, { "vulnerability": "VCID-bzw6-4m1j-6fe2" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rbax-edn6-d3aw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-ryzc-v8ju-zbcd" }, { "vulnerability": "VCID-u6cq-nd7b-vucm" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/375231?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43" } ], "aliases": [ "CVE-2026-33429", "GHSA-qpc3-fg4j-8hgm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54" }