Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/961355?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/961355?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.11", "type": "npm", "namespace": "", "name": "parse-server", "version": "9.0.0-alpha.11", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.9.0-alpha.2", "latest_non_vulnerable_version": "9.9.1-alpha.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71253?format=api", "vulnerability_id": "VCID-262h-v1yd-tfc9", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13424", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13419", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13311", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29", "reference_id": "8.6.29", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3", "reference_id": "9.6.0-alpha.3", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856", "reference_id": "CVE-2026-31856", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856" }, { "reference_url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40678?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3" } ], "aliases": [ "CVE-2026-31856", "GHSA-q3vj-96h2-gwvg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-262h-v1yd-tfc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66602?format=api", "vulnerability_id": "VCID-2syy-yyte-nug4", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25411", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25394", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25196", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21", "reference_id": "8.6.21", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8", "reference_id": "9.5.2-alpha.8", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965", "reference_id": "CVE-2026-30965", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965" }, { "reference_url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40651?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8" } ], "aliases": [ "CVE-2026-30965", "GHSA-6r2j-cxgf-495f" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2syy-yyte-nug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66328?format=api", "vulnerability_id": "VCID-383v-s4c7-6bfu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39857", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39833", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39663", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13", "reference_id": "8.6.13", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2", "reference_id": "9.5.1-alpha.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939", "reference_id": "CVE-2026-30939", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939" }, { "reference_url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40426?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2" } ], "aliases": [ "CVE-2026-30939", "GHSA-5j86-7r7m-p8h6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-383v-s4c7-6bfu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66471?format=api", "vulnerability_id": "VCID-8cct-wkqq-nqdm", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21145", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21126", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2095", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12", "reference_id": "8.6.12", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1", "reference_id": "9.5.1-alpha.1", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938", "reference_id": "CVE-2026-30938", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938" }, { "reference_url": "https://github.com/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q342-9w2p-57fp" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40422?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1" } ], "aliases": [ "CVE-2026-30938", "GHSA-q342-9w2p-57fp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8cct-wkqq-nqdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66590?format=api", "vulnerability_id": "VCID-bzw6-4m1j-6fe2", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30925", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06076", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06084", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06061", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30925" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11", "reference_id": "8.6.11", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14", "reference_id": "9.5.0-alpha.14", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30925", "reference_id": "CVE-2026-30925", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30925" }, { "reference_url": "https://github.com/advisories/GHSA-mf3j-86qx-cq5j", "reference_id": "GHSA-mf3j-86qx-cq5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mf3j-86qx-cq5j" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j", "reference_id": "GHSA-mf3j-86qx-cq5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40420?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-8cct-wkqq-nqdm" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.14" } ], "aliases": [ "CVE-2026-30925", "GHSA-mf3j-86qx-cq5j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw6-4m1j-6fe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66514?format=api", "vulnerability_id": "VCID-caj3-ujpk-hba5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19686", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19664", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.1949", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "reference_id": "8.6.23", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "reference_id": "9.5.2-alpha.10", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972", "reference_id": "CVE-2026-30972", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972" }, { "reference_url": "https://github.com/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-775h-3xrc-c228" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40658?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10" } ], "aliases": [ "CVE-2026-30972", "GHSA-775h-3xrc-c228" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-caj3-ujpk-hba5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71310?format=api", "vulnerability_id": "VCID-fdqv-3n6r-2fgb", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20212", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20191", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20019", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30", "reference_id": "8.6.30", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4", "reference_id": "9.6.0-alpha.4", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868", "reference_id": "CVE-2026-31868", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868" }, { "reference_url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40686?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4" } ], "aliases": [ "CVE-2026-31868", "GHSA-v5hf-f4c3-m5rv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqv-3n6r-2fgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71319?format=api", "vulnerability_id": "VCID-gjus-pwzw-qufs", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37447", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37423", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37245", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26", "reference_id": "8.6.26", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13", "reference_id": "9.5.2-alpha.13", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828", "reference_id": "CVE-2026-31828", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828" }, { "reference_url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40664?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13" } ], "aliases": [ "CVE-2026-31828", "GHSA-7m6r-fhh7-r47c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gjus-pwzw-qufs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71291?format=api", "vulnerability_id": "VCID-jh6w-1y2k-27de", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.2837", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28346", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.2815", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "reference_id": "8.6.25", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "reference_id": "9.5.2-alpha.12", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800", "reference_id": "CVE-2026-31800", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800" }, { "reference_url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40661?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12" } ], "aliases": [ "CVE-2026-31800", "GHSA-7xg7-rqf6-pw6c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6w-1y2k-27de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66452?format=api", "vulnerability_id": "VCID-pkkz-wwqa-1ufw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20308", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20328", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20132", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20", "reference_id": "8.6.20", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7", "reference_id": "9.5.2-alpha.7", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966", "reference_id": "CVE-2026-30966", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966" }, { "reference_url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40654?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7" } ], "aliases": [ "CVE-2026-30966", "GHSA-5f92-jrq3-28rc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pkkz-wwqa-1ufw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71476?format=api", "vulnerability_id": "VCID-qybe-rg1s-6kau", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13424", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13419", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13311", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31", "reference_id": "8.6.31", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5", "reference_id": "9.6.0-alpha.5", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871", "reference_id": "CVE-2026-31871", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871" }, { "reference_url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40689?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5" } ], "aliases": [ "CVE-2026-31871", "GHSA-gqpp-xgvh-9h7h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qybe-rg1s-6kau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66426?format=api", "vulnerability_id": "VCID-rbax-edn6-d3aw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30850", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06172", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0618", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06191", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30850" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30850", "reference_id": "CVE-2026-30850", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30850" }, { "reference_url": "https://github.com/advisories/GHSA-hwx8-q9cg-mqmc", "reference_id": "GHSA-hwx8-q9cg-mqmc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hwx8-q9cg-mqmc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc", "reference_id": "GHSA-hwx8-q9cg-mqmc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:46Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40402?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-14sg-981y-pbdx" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-8cct-wkqq-nqdm" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-bzw6-4m1j-6fe2" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-ryzc-v8ju-zbcd" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.9" } ], "aliases": [ "CVE-2026-30850", "GHSA-hwx8-q9cg-mqmc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rbax-edn6-d3aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71429?format=api", "vulnerability_id": "VCID-rr98-m4bd-dqhf", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14192", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14195", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14077", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34", "reference_id": "8.6.34", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8", "reference_id": "9.6.0-alpha.8", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901", "reference_id": "CVE-2026-31901", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901" }, { "reference_url": "https://github.com/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w54v-hf9p-8856" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40694?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8" } ], "aliases": [ "CVE-2026-31901", "GHSA-w54v-hf9p-8856" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rr98-m4bd-dqhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66316?format=api", "vulnerability_id": "VCID-ryzc-v8ju-zbcd", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30863", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10493", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10547", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30863" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30863", "reference_id": "CVE-2026-30863", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30863" }, { "reference_url": "https://github.com/advisories/GHSA-x6fw-778m-wr9v", "reference_id": "GHSA-x6fw-778m-wr9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x6fw-778m-wr9v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v", "reference_id": "GHSA-x6fw-778m-wr9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-09T16:43:47Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40406?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-8cct-wkqq-nqdm" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-bzw6-4m1j-6fe2" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.11" } ], "aliases": [ "CVE-2026-30863", "GHSA-x6fw-778m-wr9v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ryzc-v8ju-zbcd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66600?format=api", "vulnerability_id": "VCID-u6cq-nd7b-vucm", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30848", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06466", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06473", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06485", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30848" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30848", "reference_id": "CVE-2026-30848", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30848" }, { "reference_url": "https://github.com/advisories/GHSA-hm3f-q6rw-m6wh", "reference_id": "GHSA-hm3f-q6rw-m6wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm3f-q6rw-m6wh" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "reference_id": "GHSA-hm3f-q6rw-m6wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:49Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40397?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-14sg-981y-pbdx" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-8cct-wkqq-nqdm" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-bzw6-4m1j-6fe2" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rbax-edn6-d3aw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-ryzc-v8ju-zbcd" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.8" } ], "aliases": [ "CVE-2026-30848", "GHSA-hm3f-q6rw-m6wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u6cq-nd7b-vucm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71323?format=api", "vulnerability_id": "VCID-w175-44z9-c3h5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33889", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33867", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33687", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33", "reference_id": "8.6.33", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7", "reference_id": "9.6.0-alpha.7", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875", "reference_id": "CVE-2026-31875", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875" }, { "reference_url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40692?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7" } ], "aliases": [ "CVE-2026-31875", "GHSA-4hf6-3x24-c9m8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w175-44z9-c3h5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66569?format=api", "vulnerability_id": "VCID-wtbe-kc8y-77dk", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31865", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31848", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.3166", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22", "reference_id": "8.6.22", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9", "reference_id": "9.5.2-alpha.9", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967", "reference_id": "CVE-2026-30967", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967" }, { "reference_url": "https://github.com/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fr88-w35c-r596" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40655?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9" } ], "aliases": [ "CVE-2026-30967", "GHSA-fr88-w35c-r596" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wtbe-kc8y-77dk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71277?format=api", "vulnerability_id": "VCID-xrz4-1vpd-2qeg", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15723", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15709", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.1557", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32", "reference_id": "8.6.32", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6", "reference_id": "9.6.0-alpha.6", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872", "reference_id": "CVE-2026-31872", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872" }, { "reference_url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40691?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6" } ], "aliases": [ "CVE-2026-31872", "GHSA-r2m8-pxm9-9c4g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz4-1vpd-2qeg" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.11" }