Search for packages
| purl | pkg:npm/parse-dashboard@8.3.0 |
| Next non-vulnerable version | 9.0.0-alpha.8 |
| Latest non-vulnerable version | 9.0.0-alpha.8 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9bjq-kezp-j7hu
Aliases: CVE-2026-27595 GHSA-qwc3-h9mg-4582 |
Parse Dashboard has incomplete authentication on AI Agent endpoint The AI Agent API endpoint (POST `/apps/:appId/agent`) lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. |
Affected by 0 other vulnerabilities. |
|
VCID-jgzj-d9zg-cybj
Aliases: CVE-2026-27609 GHSA-3534-xp88-25rc |
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint The AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. |
Affected by 0 other vulnerabilities. |
|
VCID-mu7e-2479-fbar
Aliases: CVE-2026-27608 GHSA-cvwj-6c9h-jg6v |
Parse Dashboard is Missing Authorization for its Agent Endpoint The AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Affected are only dashboards with `agent` configuration enabled. |
Affected by 0 other vulnerabilities. |
|
VCID-pkmq-2gbk-27gp
Aliases: CVE-2026-27610 GHSA-jhp4-jvq3-w5xr |
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions The `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:05:10.196173+00:00 | GitLab Importer | Affected by | VCID-mu7e-2479-fbar | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27608.yml | 38.6.0 |
| 2026-06-06T07:03:32.066823+00:00 | GitLab Importer | Affected by | VCID-9bjq-kezp-j7hu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27595.yml | 38.6.0 |
| 2026-06-06T07:02:40.856578+00:00 | GitLab Importer | Affected by | VCID-pkmq-2gbk-27gp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27610.yml | 38.6.0 |
| 2026-06-06T07:02:39.350261+00:00 | GitLab Importer | Affected by | VCID-jgzj-d9zg-cybj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-dashboard/CVE-2026-27609.yml | 38.6.0 |