| 0 |
| url |
VCID-13fb-z2vs-83hu |
| vulnerability_id |
VCID-13fb-z2vs-83hu |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it is not needed. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.43 |
| purl |
pkg:npm/parse-server@8.6.43 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 8 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 9 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 10 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 11 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 12 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 13 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 14 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 15 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 16 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 17 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 18 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 19 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 20 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 21 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 22 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 23 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 24 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 25 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 26 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 27 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 28 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 29 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.43 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.19 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 8 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 9 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 10 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 11 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 12 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 13 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 14 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 15 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 16 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 17 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 18 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 19 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 20 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 21 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 22 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 23 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 24 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 25 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 26 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 27 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 28 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 29 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.19 |
|
|
| aliases |
CVE-2026-32770, GHSA-827p-g5x5-h86c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13fb-z2vs-83hu |
|
| 1 |
| url |
VCID-14fp-bjdd-uffh |
| vulnerability_id |
VCID-14fp-bjdd-uffh |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-39381, GHSA-g4v2-qx3q-4p64
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14fp-bjdd-uffh |
|
| 2 |
| url |
VCID-1y9a-gb1j-ufdu |
| vulnerability_id |
VCID-1y9a-gb1j-ufdu |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.47 |
| purl |
pkg:npm/parse-server@8.6.47 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 4 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 5 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 6 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 7 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 8 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 9 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 10 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 11 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 12 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 13 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 14 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 15 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 16 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 17 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 18 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 19 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 20 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 21 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 22 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 23 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 24 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 25 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 26 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.47 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.24 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.24 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 4 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 5 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 6 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 7 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 8 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 9 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 10 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 11 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 12 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 13 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 14 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 15 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 16 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 17 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 18 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 19 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 20 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 21 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 22 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 23 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 24 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 25 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 26 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.24 |
|
|
| aliases |
CVE-2026-32886, GHSA-4263-jgmp-7pf4
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1y9a-gb1j-ufdu |
|
| 3 |
| url |
VCID-22pk-5s6t-ufaw |
| vulnerability_id |
VCID-22pk-5s6t-ufaw |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.15 |
| purl |
pkg:npm/parse-server@8.6.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 9 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 10 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 11 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 12 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 13 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 14 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 15 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 16 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 17 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 18 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 19 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 20 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 21 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 22 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 23 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 24 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 25 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 26 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 27 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 28 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 29 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 30 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 31 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 32 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 33 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 34 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 35 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 36 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 37 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 38 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 39 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 40 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 41 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 42 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 43 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 44 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 45 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 46 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 47 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 48 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 49 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 50 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 51 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 52 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 53 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 54 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 55 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.15 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.2 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 9 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 10 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 11 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 12 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 13 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 14 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 15 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 16 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 17 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 18 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 19 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 20 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 21 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 22 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 23 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 24 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 25 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 26 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 27 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 28 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 29 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 30 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 31 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 32 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 33 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 34 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 35 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 36 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 37 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 38 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 39 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 40 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 41 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 42 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 43 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 44 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 45 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 46 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 47 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 48 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 49 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 50 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 51 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 52 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 53 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 54 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 55 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.2 |
|
|
| aliases |
CVE-2026-30946, GHSA-cmj3-wx7h-ffvg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-22pk-5s6t-ufaw |
|
| 4 |
| url |
VCID-262h-v1yd-tfc9 |
| vulnerability_id |
VCID-262h-v1yd-tfc9 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.29 |
| purl |
pkg:npm/parse-server@8.6.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 19 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 20 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 21 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 22 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 23 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 24 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 25 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 26 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 27 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 28 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 29 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 30 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 31 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 32 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 33 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 34 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 35 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 36 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 37 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 38 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 39 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 40 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 41 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 42 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 43 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.29 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.3 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 19 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 20 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 21 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 22 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 23 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 24 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 25 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 26 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 27 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 28 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 29 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 30 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 31 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 32 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 33 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 34 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 35 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 36 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 37 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 38 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 39 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 40 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 41 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 42 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 43 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3 |
|
|
| aliases |
CVE-2026-31856, GHSA-q3vj-96h2-gwvg
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-262h-v1yd-tfc9 |
|
| 5 |
| url |
VCID-2fzy-ajnc-fbf9 |
| vulnerability_id |
VCID-2fzy-ajnc-fbf9 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.40 |
| purl |
pkg:npm/parse-server@8.6.40 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 14 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 15 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 16 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 17 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 18 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 19 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 20 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 21 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 22 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 23 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 24 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 25 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 26 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 27 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 28 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 29 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 30 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 31 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 32 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.40 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.14 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 14 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 15 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 16 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 17 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 18 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 19 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 20 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 21 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 22 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 23 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 24 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 25 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 26 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 27 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 28 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 29 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 30 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 31 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 32 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.14 |
|
|
| aliases |
CVE-2026-32594, GHSA-p2x3-8689-cwpg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| url |
VCID-2qbc-paq8-2fgn |
| vulnerability_id |
VCID-2qbc-paq8-2fgn |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.28 |
| purl |
pkg:npm/parse-server@8.6.28 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 6 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 7 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 8 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 9 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 10 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 11 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 12 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 13 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 14 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 15 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 16 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 17 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 18 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 19 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 20 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 21 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 22 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 23 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 24 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 25 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 26 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 27 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 28 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 29 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 30 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 31 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 32 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 33 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 34 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 35 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 36 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 37 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 38 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 39 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 40 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 41 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 42 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 43 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 44 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.28 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.2 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 6 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 7 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 8 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 9 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 10 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 11 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 12 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 13 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 14 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 15 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 16 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 17 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 18 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 19 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 20 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 21 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 22 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 23 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 24 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 25 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 26 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 27 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 28 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 29 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 30 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 31 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 32 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 33 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 34 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 35 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 36 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 37 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 38 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 39 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 40 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 41 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 42 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 43 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 44 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.2 |
|
|
| aliases |
CVE-2026-31840, GHSA-qpr4-jrj4-6f27
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2qbc-paq8-2fgn |
|
| 7 |
| url |
VCID-2rxm-qxur-9ygu |
| vulnerability_id |
VCID-2rxm-qxur-9ygu |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.60 |
| purl |
pkg:npm/parse-server@8.6.60 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 2 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 3 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 4 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 5 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 6 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 7 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 8 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 9 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 10 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 11 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 12 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 13 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.60 |
|
| 1 |
|
|
| aliases |
CVE-2026-33624, GHSA-2299-ghjr-6vjp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2rxm-qxur-9ygu |
|
| 8 |
| url |
VCID-2syy-yyte-nug4 |
| vulnerability_id |
VCID-2syy-yyte-nug4 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.21 |
| purl |
pkg:npm/parse-server@8.6.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 14 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 15 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 16 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 17 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 18 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 19 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 20 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 21 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 22 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 23 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 24 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 25 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 26 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 27 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 28 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 29 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 30 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 31 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 32 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 33 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 34 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 35 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 36 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 37 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 38 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 39 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 40 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 41 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 42 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 43 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 44 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 45 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 46 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 47 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 48 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 49 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.21 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.8 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 14 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 15 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 16 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 17 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 18 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 19 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 20 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 21 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 22 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 23 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 24 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 25 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 26 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 27 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 28 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 29 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 30 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 31 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 32 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 33 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 34 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 35 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 36 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 37 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 38 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 39 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 40 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 41 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 42 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 43 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 44 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 45 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 46 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 47 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 48 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 49 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8 |
|
|
| aliases |
CVE-2026-30965, GHSA-6r2j-cxgf-495f
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2syy-yyte-nug4 |
|
| 9 |
| url |
VCID-2t98-yfws-zfgn |
| vulnerability_id |
VCID-2t98-yfws-zfgn |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.16 |
| purl |
pkg:npm/parse-server@8.6.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 14 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 15 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 16 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 17 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 18 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 19 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 20 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 21 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 22 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 23 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 24 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 25 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 26 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 27 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 28 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 29 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 30 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 31 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 32 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 33 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 34 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 35 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 36 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 37 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 38 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 39 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 40 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 41 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 42 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 43 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 44 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 45 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 46 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 47 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 48 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 49 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 50 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 51 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 52 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 53 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 54 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.16 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.3 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 14 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 15 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 16 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 17 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 18 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 19 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 20 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 21 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 22 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 23 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 24 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 25 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 26 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 27 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 28 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 29 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 30 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 31 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 32 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 33 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 34 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 35 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 36 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 37 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 38 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 39 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 40 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 41 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 42 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 43 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 44 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 45 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 46 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 47 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 48 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 49 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 50 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 51 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 52 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 53 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 54 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.3 |
|
|
| aliases |
CVE-2026-30947, GHSA-7ch5-98q2-7289
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2t98-yfws-zfgn |
|
| 10 |
| url |
VCID-383v-s4c7-6bfu |
| vulnerability_id |
VCID-383v-s4c7-6bfu |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.13 |
| purl |
pkg:npm/parse-server@8.6.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 11 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 12 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 13 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 14 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 15 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 16 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 17 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 18 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 19 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 20 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 21 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 22 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 23 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 24 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 25 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 26 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 27 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 28 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 29 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 30 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 31 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 32 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 33 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 34 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 35 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 36 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 37 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 38 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 39 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 40 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 41 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 42 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 43 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 44 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 45 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 46 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 47 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 48 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 49 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 50 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 51 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 52 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 53 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 54 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 55 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 56 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 57 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.13 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.1-alpha.2 |
| purl |
pkg:npm/parse-server@9.5.1-alpha.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 11 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 12 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 13 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 14 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 15 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 16 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 17 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 18 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 19 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 20 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 21 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 22 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 23 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 24 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 25 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 26 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 27 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 28 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 29 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 30 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 31 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 32 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 33 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 34 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 35 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 36 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 37 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 38 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 39 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 40 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 41 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 42 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 43 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 44 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 45 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 46 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 47 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 48 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 49 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 50 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 51 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 52 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 53 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 54 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 55 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 56 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 57 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2 |
|
|
| aliases |
CVE-2026-30939, GHSA-5j86-7r7m-p8h6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-383v-s4c7-6bfu |
|
| 11 |
| url |
VCID-49m3-j488-yqes |
| vulnerability_id |
VCID-49m3-j488-yqes |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34373, GHSA-q3p6-g7c4-829c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-49m3-j488-yqes |
|
| 12 |
| url |
VCID-53r7-9knw-u7bd |
| vulnerability_id |
VCID-53r7-9knw-u7bd |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. The fix in 9.6.0-alpha.29 and 8.6.49 ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. As a workaround, use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.49 |
| purl |
pkg:npm/parse-server@8.6.49 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 4 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 5 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 6 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 7 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 8 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 9 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 10 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 11 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 12 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 13 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 14 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 15 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 16 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 17 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 18 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 19 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 20 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 21 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 22 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 23 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 24 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.49 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.29 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.29 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 4 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 5 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 6 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 7 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 8 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 9 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 10 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 11 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 12 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 13 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 14 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 15 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 16 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 17 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 18 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 19 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 20 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 21 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 22 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 23 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 24 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.29 |
|
|
| aliases |
CVE-2026-33042, GHSA-wjqw-r9x4-j59v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-53r7-9knw-u7bd |
|
| 13 |
| url |
VCID-5bbt-8378-17d1 |
| vulnerability_id |
VCID-5bbt-8378-17d1 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.51 |
| purl |
pkg:npm/parse-server@8.6.51 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 8 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 9 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 10 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 11 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 12 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 13 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 14 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 15 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 16 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 17 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 18 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 19 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 20 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 21 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.51 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.40 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.40 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 8 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 9 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 10 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 11 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 12 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 13 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 14 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 15 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 16 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 17 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 18 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 19 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 20 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 21 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40 |
|
|
| aliases |
CVE-2026-33323, GHSA-h29g-q5c2-9h4f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5bbt-8378-17d1 |
|
| 14 |
| url |
VCID-7jbf-hw56-9bcx |
| vulnerability_id |
VCID-7jbf-hw56-9bcx |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34224, GHSA-w73w-g5xw-rwhf
|
| risk_score |
2.0 |
| exploitability |
0.5 |
| weighted_severity |
4.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbf-hw56-9bcx |
|
| 15 |
| url |
VCID-8cct-wkqq-nqdm |
| vulnerability_id |
VCID-8cct-wkqq-nqdm |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.12 |
| purl |
pkg:npm/parse-server@8.6.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 16 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 17 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 18 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 19 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 20 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 21 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 22 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 23 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 24 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 25 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 26 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 27 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 28 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 29 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 30 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 31 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 32 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 33 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 34 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 35 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 36 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 37 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 38 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 39 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 40 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 41 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 42 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 43 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 44 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 45 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 46 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 47 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 48 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 49 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 50 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 51 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 52 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 53 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 54 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 55 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 56 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 57 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 58 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.12 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.1-alpha.1 |
| purl |
pkg:npm/parse-server@9.5.1-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 16 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 17 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 18 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 19 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 20 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 21 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 22 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 23 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 24 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 25 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 26 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 27 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 28 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 29 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 30 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 31 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 32 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 33 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 34 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 35 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 36 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 37 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 38 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 39 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 40 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 41 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 42 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 43 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 44 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 45 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 46 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 47 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 48 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 49 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 50 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 51 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 52 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 53 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 54 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 55 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 56 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 57 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 58 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1 |
|
|
| aliases |
CVE-2026-30938, GHSA-q342-9w2p-57fp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8cct-wkqq-nqdm |
|
| 16 |
| url |
VCID-9vdy-2u7g-w3cz |
| vulnerability_id |
VCID-9vdy-2u7g-w3cz |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.5 |
| purl |
pkg:npm/parse-server@8.6.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 39 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 40 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 41 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 42 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 43 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 44 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 45 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 46 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 47 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 48 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 49 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 50 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 51 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 52 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 53 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 54 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 55 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 56 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 57 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 58 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 59 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 60 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 61 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 62 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 63 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 64 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 65 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.5 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.3 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 40 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 41 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 42 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 43 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 44 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 45 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 46 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 47 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 48 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 49 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 50 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 51 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 52 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 53 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 54 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 55 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 56 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 57 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 58 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 59 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 60 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 61 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 62 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 63 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 64 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 65 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 66 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.3 |
|
|
| aliases |
CVE-2026-30228, GHSA-xfh7-phr7-gr2x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9vdy-2u7g-w3cz |
|
| 17 |
| url |
VCID-anju-zz89-sfad |
| vulnerability_id |
VCID-anju-zz89-sfad |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.1 |
| purl |
pkg:npm/parse-server@8.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-kgbm-tgkt-nyew |
|
| 43 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 44 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 45 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 46 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 47 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 48 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 49 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 50 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 51 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 52 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 53 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 54 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 55 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 56 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 57 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 58 |
| vulnerability |
VCID-sj7h-z87x-gfh3 |
|
| 59 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 60 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 61 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 62 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 63 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 64 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 65 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 66 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 67 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 68 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 69 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.1 |
|
| 1 |
| url |
pkg:npm/parse-server@9.1.0-alpha.3 |
| purl |
pkg:npm/parse-server@9.1.0-alpha.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-kgbm-tgkt-nyew |
|
| 43 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 44 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 45 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 46 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 47 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 48 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 49 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 50 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 51 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 52 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 53 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 54 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 55 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 56 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 57 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 58 |
| vulnerability |
VCID-sj7h-z87x-gfh3 |
|
| 59 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 60 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 61 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 62 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 63 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 64 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 65 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 66 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 67 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 68 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 69 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.1.0-alpha.3 |
|
|
| aliases |
CVE-2025-68115, GHSA-jhgf-2h8h-ggxv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-anju-zz89-sfad |
|
| 18 |
| url |
VCID-bpp2-r2wr-vkf6 |
| vulnerability_id |
VCID-bpp2-r2wr-vkf6 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.45 |
| purl |
pkg:npm/parse-server@8.6.45 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 8 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 9 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 10 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 11 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 12 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 13 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 14 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 15 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 16 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 17 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 18 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 19 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 20 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 21 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 22 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 23 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 24 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 25 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 26 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 27 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.45 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.21 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 8 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 9 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 10 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 11 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 12 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 13 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 14 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 15 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 16 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 17 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 18 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 19 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 20 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 21 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 22 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 23 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 24 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 25 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 26 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 27 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.21 |
|
|
| aliases |
CVE-2026-32944, GHSA-9xp9-j92r-p88v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bpp2-r2wr-vkf6 |
|
| 19 |
| url |
VCID-brgs-d2uu-a7bt |
| vulnerability_id |
VCID-brgs-d2uu-a7bt |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.17 |
| purl |
pkg:npm/parse-server@8.6.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 45 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 46 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 47 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 48 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 49 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 50 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 51 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 52 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 53 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.17 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.4 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 45 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 46 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 47 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 48 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 49 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 50 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 51 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 52 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 53 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.4 |
|
|
| aliases |
CVE-2026-30948, GHSA-hcj7-6gxh-24ww
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-brgs-d2uu-a7bt |
|
| 20 |
| url |
VCID-bzw6-4m1j-6fe2 |
| vulnerability_id |
VCID-bzw6-4m1j-6fe2 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.11 |
| purl |
pkg:npm/parse-server@8.6.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 19 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 20 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 21 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 22 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 23 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 24 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 25 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 26 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 27 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 28 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 29 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 30 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 31 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 32 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 33 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 34 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 35 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 36 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 37 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 38 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 39 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 40 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 41 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 42 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 43 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 44 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 45 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 46 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 47 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 48 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 49 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 50 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 51 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 52 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 53 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 54 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 55 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 56 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 57 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 58 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 59 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.11 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.14 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 19 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 20 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 21 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 22 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 23 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 24 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 25 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 26 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 27 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 28 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 29 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 30 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 31 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 32 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 33 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 34 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 35 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 36 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 37 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 38 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 39 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 40 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 41 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 42 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 43 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 44 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 45 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 46 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 47 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 48 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 49 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 50 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 51 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 52 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 53 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 54 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 55 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 56 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 57 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 58 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 59 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.14 |
|
|
| aliases |
CVE-2026-30925, GHSA-mf3j-86qx-cq5j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw6-4m1j-6fe2 |
|
| 21 |
| url |
VCID-ca2c-skt8-mqau |
| vulnerability_id |
VCID-ca2c-skt8-mqau |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.48 |
| purl |
pkg:npm/parse-server@8.6.48 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 4 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 5 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 6 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 7 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 8 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 9 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 10 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 11 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 12 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 13 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 14 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 15 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 16 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 17 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 18 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 19 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 20 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 21 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 22 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 23 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 24 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 25 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.48 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.28 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.28 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 4 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 5 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 6 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 7 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 8 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 9 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 10 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 11 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 12 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 13 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 14 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 15 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 16 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 17 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 18 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 19 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 20 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 21 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 22 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 23 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 24 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 25 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.28 |
|
|
| aliases |
CVE-2026-32943, GHSA-r3xq-68wh-gwvh
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ca2c-skt8-mqau |
|
| 22 |
| url |
VCID-caj3-ujpk-hba5 |
| vulnerability_id |
VCID-caj3-ujpk-hba5 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.23 |
| purl |
pkg:npm/parse-server@8.6.23 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 23 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 24 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 25 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 26 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 27 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 28 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 29 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 30 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 31 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 32 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 33 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 34 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 35 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 36 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 37 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 38 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 39 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 40 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 41 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 42 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 43 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 44 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 45 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 46 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 47 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.23 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.10 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 23 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 24 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 25 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 26 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 27 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 28 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 29 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 30 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 31 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 32 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 33 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 34 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 35 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 36 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 37 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 38 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 39 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 40 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 41 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 42 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 43 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 44 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 45 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 46 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 47 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10 |
|
|
| aliases |
CVE-2026-30972, GHSA-775h-3xrc-c228
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-caj3-ujpk-hba5 |
|
| 23 |
| url |
VCID-cbrh-vg1p-3ua7 |
| vulnerability_id |
VCID-cbrh-vg1p-3ua7 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34595, GHSA-mmg8-87c5-jrc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cbrh-vg1p-3ua7 |
|
| 24 |
| url |
VCID-dhkw-d15h-rkb5 |
| vulnerability_id |
VCID-dhkw-d15h-rkb5 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-43930, GHSA-jpq4-7fmq-q5fj
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dhkw-d15h-rkb5 |
|
| 25 |
| url |
VCID-dmkx-64cw-67ae |
| vulnerability_id |
VCID-dmkx-64cw-67ae |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. This vulnerability is fixed in 8.6.14 and 9.5.2-alpha.1. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.14 |
| purl |
pkg:npm/parse-server@8.6.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 11 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 12 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 13 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 14 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 15 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 16 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 17 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 18 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 19 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 20 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 21 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 22 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 23 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 24 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 25 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 26 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 27 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 28 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 29 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 30 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 31 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 32 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 33 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 34 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 35 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 36 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 37 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 38 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 39 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 40 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 41 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 42 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 43 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 44 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 45 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 46 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 47 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 48 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 49 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 50 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 51 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 52 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 53 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 54 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 55 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 56 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.14 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.1 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 11 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 12 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 13 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 14 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 15 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 16 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 17 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 18 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 19 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 20 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 21 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 22 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 23 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 24 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 25 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 26 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 27 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 28 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 29 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 30 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 31 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 32 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 33 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 34 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 35 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 36 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 37 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 38 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 39 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 40 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 41 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 42 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 43 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 44 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 45 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 46 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 47 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 48 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 49 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 50 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 51 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 52 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 53 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 54 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 55 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 56 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.1 |
|
|
| aliases |
CVE-2026-30941, GHSA-vgjh-hmwf-c588
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkx-64cw-67ae |
|
| 26 |
| url |
VCID-dyd6-6yy1-hyhn |
| vulnerability_id |
VCID-dyd6-6yy1-hyhn |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-39321, GHSA-mmpq-5hcv-hf2v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dyd6-6yy1-hyhn |
|
| 27 |
| url |
VCID-e7pg-sdu5-mkhh |
| vulnerability_id |
VCID-e7pg-sdu5-mkhh |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist. This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage. The fix in versions 9.6.0-alpha.15 and 8.6.41 strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers. Note that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future. As a workaround, configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.41 |
| purl |
pkg:npm/parse-server@8.6.41 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 14 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 15 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 16 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 17 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 18 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 19 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 20 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 21 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 22 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 23 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 24 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 25 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 26 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 27 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 28 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 29 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 30 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 31 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.41 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.15 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 14 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 15 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 16 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 17 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 18 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 19 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 20 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 21 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 22 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 23 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 24 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 25 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 26 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 27 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 28 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 29 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 30 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 31 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.15 |
|
|
| aliases |
CVE-2026-32728, GHSA-42ph-pf9q-cr72
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e7pg-sdu5-mkhh |
|
| 28 |
| url |
VCID-e84c-36en-wqaa |
| vulnerability_id |
VCID-e84c-36en-wqaa |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.54 |
| purl |
pkg:npm/parse-server@8.6.54 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.43 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.43 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43 |
|
|
| aliases |
CVE-2026-33429, GHSA-qpc3-fg4j-8hgm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa |
|
| 29 |
| url |
VCID-ee1t-31wz-ufbw |
| vulnerability_id |
VCID-ee1t-31wz-ufbw |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. This vulnerability is fixed in 9.6.0-alpha.10 and 8.6.36. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.36 |
| purl |
pkg:npm/parse-server@8.6.36 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 32 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 33 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 34 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 35 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 36 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.36 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.10 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 32 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 33 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 34 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 35 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 36 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.10 |
|
|
| aliases |
CVE-2026-32234, GHSA-c442-97qw-j6c6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ee1t-31wz-ufbw |
|
| 30 |
| url |
VCID-evdb-d9ew-pbfq |
| vulnerability_id |
VCID-evdb-d9ew-pbfq |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.50 |
| purl |
pkg:npm/parse-server@8.6.50 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 4 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 5 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 6 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 7 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 8 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 9 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 10 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 11 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 12 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 13 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 14 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 15 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 16 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 17 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 18 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 19 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 20 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 21 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 22 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 23 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.50 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.35 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.35 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 4 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 5 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 6 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 7 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 8 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 9 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 10 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 11 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 12 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 13 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 14 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 15 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 16 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 17 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 18 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 19 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 20 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 21 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 22 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 23 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.35 |
|
|
| aliases |
CVE-2026-33163, GHSA-5hmj-jcgp-6hff
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-evdb-d9ew-pbfq |
|
| 31 |
| url |
VCID-fdqv-3n6r-2fgb |
| vulnerability_id |
VCID-fdqv-3n6r-2fgb |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.30 |
| purl |
pkg:npm/parse-server@8.6.30 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 34 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 35 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 36 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 37 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 38 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 39 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 40 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 41 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 42 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.30 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.4 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 34 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 35 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 36 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 37 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 38 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 39 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 40 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 41 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 42 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4 |
|
|
| aliases |
CVE-2026-31868, GHSA-v5hf-f4c3-m5rv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqv-3n6r-2fgb |
|
| 32 |
| url |
VCID-g9b7-r5ry-mybm |
| vulnerability_id |
VCID-g9b7-r5ry-mybm |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/parse-community/parse-server/pull/10246 |
| reference_id |
10246 |
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/ |
|
|
| url |
https://github.com/parse-community/parse-server/pull/10246 |
|
| 4 |
| reference_url |
https://github.com/parse-community/parse-server/pull/10247 |
| reference_id |
10247 |
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/ |
|
|
| url |
https://github.com/parse-community/parse-server/pull/10247 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.52 |
| purl |
pkg:npm/parse-server@8.6.52 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 8 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 9 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 10 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 11 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 12 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 13 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 14 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 15 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 16 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 17 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 18 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 19 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 20 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 21 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.52 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.41 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.41 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 8 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 9 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 10 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 11 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 12 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 13 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 14 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 15 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 16 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 17 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 18 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 19 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 20 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 21 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41 |
|
|
| aliases |
CVE-2026-33409, GHSA-pfj7-wv7c-22pr
|
| risk_score |
4.1 |
| exploitability |
0.5 |
| weighted_severity |
8.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9b7-r5ry-mybm |
|
| 33 |
| url |
VCID-gdee-x759-bbg9 |
| vulnerability_id |
VCID-gdee-x759-bbg9 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been patched in versions 8.6.4 and 9.4.1-alpha.3. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.4 |
| purl |
pkg:npm/parse-server@8.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 40 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 41 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 42 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 43 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 44 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 45 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 46 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 47 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 48 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 49 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 50 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 51 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 52 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 53 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 54 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 55 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 56 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 57 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 58 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 59 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 60 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 61 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 62 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 63 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 64 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 65 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 66 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.4 |
|
| 1 |
| url |
pkg:npm/parse-server@9.4.1-alpha.3 |
| purl |
pkg:npm/parse-server@9.4.1-alpha.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 18 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 19 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 20 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 21 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 22 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 23 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 24 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 25 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 26 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 27 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 28 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 29 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 30 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 31 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 32 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 43 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 44 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 45 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 46 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 47 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 48 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 49 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 50 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 51 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 52 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 53 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 54 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 55 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 56 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 57 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 58 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 59 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 60 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 61 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 62 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 63 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 64 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 65 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 66 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 67 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.4.1-alpha.3 |
|
|
| aliases |
CVE-2026-29182, GHSA-vc89-5g3r-cmhh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdee-x759-bbg9 |
|
| 34 |
| url |
VCID-gjus-pwzw-qufs |
| vulnerability_id |
VCID-gjus-pwzw-qufs |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.26 |
| purl |
pkg:npm/parse-server@8.6.26 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 23 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 24 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 25 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 26 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 27 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 28 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 29 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 30 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 31 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 32 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 33 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 34 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 35 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 36 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 37 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 38 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 39 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 40 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 41 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 42 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 43 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 44 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 45 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.26 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.13 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 23 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 24 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 25 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 26 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 27 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 28 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 29 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 30 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 31 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 32 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 33 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 34 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 35 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 36 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 37 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 38 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 39 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 40 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 41 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 42 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 43 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 44 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 45 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13 |
|
|
| aliases |
CVE-2026-31828, GHSA-7m6r-fhh7-r47c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gjus-pwzw-qufs |
|
| 35 |
| url |
VCID-gngn-8vy6-bkg7 |
| vulnerability_id |
VCID-gngn-8vy6-bkg7 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.63 |
| purl |
pkg:npm/parse-server@8.6.63 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 2 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 3 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 4 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 5 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 6 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 7 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 8 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 9 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 10 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 11 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.63 |
|
| 1 |
|
|
| aliases |
CVE-2026-34215, GHSA-wp76-gg32-8258
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gngn-8vy6-bkg7 |
|
| 36 |
| url |
VCID-hbms-u2mt-jyhn |
| vulnerability_id |
VCID-hbms-u2mt-jyhn |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. Starting in version 9.6.0-alpha.17 and 8.6.42, the session creation endpoint filters out server-generated fields from user-supplied data, preventing them from being overwritten. As a workaround, add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.42 |
| purl |
pkg:npm/parse-server@8.6.42 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 14 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 15 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 16 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 17 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 18 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 19 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 20 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 21 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 22 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 23 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 24 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 25 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 26 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 27 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 28 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 29 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 30 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.42 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.17 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 4 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 5 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 6 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 7 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 8 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 9 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 10 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 11 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 12 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 13 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 14 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 15 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 16 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 17 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 18 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 19 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 20 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 21 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 22 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 23 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 24 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 25 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 26 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 27 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 28 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 29 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 30 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.17 |
|
|
| aliases |
CVE-2026-32742, GHSA-5v7g-9h8f-8pgg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hbms-u2mt-jyhn |
|
| 37 |
| url |
VCID-hh7p-ae88-z3fs |
| vulnerability_id |
VCID-hh7p-ae88-z3fs |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.35 |
| purl |
pkg:npm/parse-server@8.6.35 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 22 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 23 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 24 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 25 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 26 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 27 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 28 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 29 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 30 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 31 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 32 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 33 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 34 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 35 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 36 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 37 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.35 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.9 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 22 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 23 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 24 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 25 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 26 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 27 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 28 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 29 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 30 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 31 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 32 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 33 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 34 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 35 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 36 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 37 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.9 |
|
|
| aliases |
CVE-2026-32098, GHSA-j7mm-f4rv-6q6q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hh7p-ae88-z3fs |
|
| 38 |
| url |
VCID-hs5q-jk5r-7ya8 |
| vulnerability_id |
VCID-hs5q-jk5r-7ya8 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34363, GHSA-m983-v2ff-wq65
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5q-jk5r-7ya8 |
|
| 39 |
| url |
VCID-j3ba-adds-muay |
| vulnerability_id |
VCID-j3ba-adds-muay |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.44 |
| purl |
pkg:npm/parse-server@8.6.44 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 8 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 9 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 10 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 11 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 12 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 13 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 14 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 15 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 16 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 17 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 18 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 19 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 20 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 21 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 22 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 23 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 24 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 25 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 26 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 27 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 28 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.44 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.20 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 2 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 3 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 4 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 5 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 6 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 7 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 8 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 9 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 10 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 11 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 12 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 13 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 14 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 15 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 16 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 17 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 18 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 19 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 20 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 21 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 22 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 23 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 24 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 25 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 26 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 27 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 28 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.20 |
|
|
| aliases |
CVE-2026-32878, GHSA-9ccr-fpp6-78qf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j3ba-adds-muay |
|
| 40 |
| url |
VCID-j6sw-ak9p-nyhc |
| vulnerability_id |
VCID-j6sw-ak9p-nyhc |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.39 |
| purl |
pkg:npm/parse-server@8.6.39 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 23 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 24 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 25 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 26 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 27 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 28 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 29 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 30 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 31 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 32 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 33 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.39 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.13 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 23 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 24 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 25 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 26 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 27 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 28 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 29 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 30 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 31 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 32 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 33 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.13 |
|
|
| aliases |
CVE-2026-32269, GHSA-69xg-f649-w5g2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j6sw-ak9p-nyhc |
|
| 41 |
| url |
VCID-j8xd-t1fd-hyba |
| vulnerability_id |
VCID-j8xd-t1fd-hyba |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0-alpha.6. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.7 |
| purl |
pkg:npm/parse-server@8.6.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 39 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 40 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 41 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 42 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 43 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 44 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 45 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 46 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 47 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 48 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 49 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 50 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 51 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 52 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 53 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 54 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 55 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 56 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 57 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 58 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 59 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 60 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 61 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 62 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 63 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.7 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.6 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 40 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 41 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 42 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 43 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 44 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 45 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 46 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 47 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 48 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 49 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 50 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 51 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 52 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 53 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 54 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 55 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 56 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 57 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 58 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 59 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 60 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 61 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 62 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 63 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 64 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.6 |
|
|
| aliases |
CVE-2026-30835, GHSA-9cp7-3q5w-j92g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j8xd-t1fd-hyba |
|
| 42 |
| url |
VCID-jh6w-1y2k-27de |
| vulnerability_id |
VCID-jh6w-1y2k-27de |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.25 |
| purl |
pkg:npm/parse-server@8.6.25 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 23 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 24 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 25 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 26 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 27 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 28 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 29 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 30 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 31 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 32 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 33 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 34 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 35 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 36 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 37 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 38 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 39 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 40 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 41 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 42 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 43 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 44 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 45 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 46 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.25 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.12 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 14 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 15 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 16 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 17 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 18 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 19 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 20 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 21 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 22 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 23 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 24 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 25 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 26 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 27 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 28 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 29 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 30 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 31 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 32 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 33 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 34 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 35 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 36 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 37 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 38 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 39 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 40 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 41 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 42 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 43 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 44 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 45 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 46 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12 |
|
|
| aliases |
CVE-2026-31800, GHSA-7xg7-rqf6-pw6c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6w-1y2k-27de |
|
| 43 |
| url |
VCID-kgbm-tgkt-nyew |
| vulnerability_id |
VCID-kgbm-tgkt-nyew |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.2 |
| purl |
pkg:npm/parse-server@8.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 43 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 44 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 45 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 46 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 47 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 48 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 49 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 50 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 51 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 52 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 53 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 54 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 55 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 56 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 57 |
| vulnerability |
VCID-sj7h-z87x-gfh3 |
|
| 58 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 59 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 60 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 61 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 62 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 63 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 64 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 65 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 66 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 67 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 68 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.2 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.1.1-alpha.1 |
| purl |
pkg:npm/parse-server@9.1.1-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 43 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 44 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 45 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 46 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 47 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 48 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 49 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 50 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 51 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 52 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 53 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 54 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 55 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 56 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 57 |
| vulnerability |
VCID-sj7h-z87x-gfh3 |
|
| 58 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 59 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 60 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 61 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 62 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 63 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 64 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 65 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 66 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 67 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 68 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.1.1-alpha.1 |
|
|
| aliases |
CVE-2025-68150, GHSA-3f5f-xgrj-97pf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kgbm-tgkt-nyew |
|
| 44 |
| url |
VCID-ma3z-wh1c-v7c8 |
| vulnerability_id |
VCID-ma3z-wh1c-v7c8 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.6 |
| purl |
pkg:npm/parse-server@8.6.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 39 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 40 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 41 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 42 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 43 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 44 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 45 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 46 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 47 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 48 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 49 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 50 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 51 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 52 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 53 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 54 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 55 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 56 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 57 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 58 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 59 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 60 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 61 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 62 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 63 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 64 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.6 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.4 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 40 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 41 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 42 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 43 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 44 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 45 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 46 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 47 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 48 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 49 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 50 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 51 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 52 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 53 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 54 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 55 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 56 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 57 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 58 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 59 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 60 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 61 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 62 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 63 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 64 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 65 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.4 |
|
|
| aliases |
CVE-2026-30229, GHSA-79wj-8rqv-jvp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ma3z-wh1c-v7c8 |
|
| 45 |
| url |
VCID-mdgb-p4u1-uud5 |
| vulnerability_id |
VCID-mdgb-p4u1-uud5 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.57 |
| purl |
pkg:npm/parse-server@8.6.57 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 11 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 12 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 13 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 14 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 15 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 16 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.57 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.48 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.48 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 11 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 12 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 13 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 14 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 15 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 16 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48 |
|
|
| aliases |
CVE-2026-33527, GHSA-jc39-686j-wp6q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mdgb-p4u1-uud5 |
|
| 46 |
| url |
VCID-mm7p-maf1-eyhq |
| vulnerability_id |
VCID-mm7p-maf1-eyhq |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34574, GHSA-f6j3-w9v3-cq22
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7p-maf1-eyhq |
|
| 47 |
| url |
VCID-mxgt-92ep-73fj |
| vulnerability_id |
VCID-mxgt-92ep-73fj |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.58 |
| purl |
pkg:npm/parse-server@8.6.58 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 11 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 12 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 13 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 14 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 15 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.58 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.52 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.52 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 11 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 12 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 13 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 14 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 15 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52 |
|
|
| aliases |
CVE-2026-33538, GHSA-g4cf-xj29-wqqr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mxgt-92ep-73fj |
|
| 48 |
| url |
VCID-n4s7-6vvk-skfz |
| vulnerability_id |
VCID-n4s7-6vvk-skfz |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34573, GHSA-mfj6-6p54-m98c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n4s7-6vvk-skfz |
|
| 49 |
| url |
VCID-n5mt-eebx-zbcf |
| vulnerability_id |
VCID-n5mt-eebx-zbcf |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.53 |
| purl |
pkg:npm/parse-server@8.6.53 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.53 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.42 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.42 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42 |
|
|
| aliases |
CVE-2026-33421, GHSA-fph2-r4qg-9576
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mt-eebx-zbcf |
|
| 50 |
| url |
VCID-nqev-h9w8-pudy |
| vulnerability_id |
VCID-nqev-h9w8-pudy |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.61 |
| purl |
pkg:npm/parse-server@8.6.61 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 2 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 3 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 4 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 5 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 6 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 7 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 8 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 9 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 10 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 11 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 12 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.61 |
|
| 1 |
|
|
| aliases |
CVE-2026-33627, GHSA-37mj-c2wf-cx96
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nqev-h9w8-pudy |
|
| 51 |
| url |
VCID-nt51-v9gk-w3e8 |
| vulnerability_id |
VCID-nt51-v9gk-w3e8 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-35200, GHSA-vr5f-2r24-w5hc
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nt51-v9gk-w3e8 |
|
| 52 |
| url |
VCID-pkkz-wwqa-1ufw |
| vulnerability_id |
VCID-pkkz-wwqa-1ufw |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.20 |
| purl |
pkg:npm/parse-server@8.6.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 40 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 41 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 42 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 43 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 44 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 45 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 46 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 47 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 48 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 49 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 50 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.20 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.7 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 40 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 41 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 42 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 43 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 44 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 45 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 46 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 47 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 48 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 49 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 50 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7 |
|
|
| aliases |
CVE-2026-30966, GHSA-5f92-jrq3-28rc
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pkkz-wwqa-1ufw |
|
| 53 |
| url |
VCID-q59u-ywkn-wbfw |
| vulnerability_id |
VCID-q59u-ywkn-wbfw |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.55 |
| purl |
pkg:npm/parse-server@8.6.55 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.55 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.44 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.44 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44 |
|
|
| aliases |
CVE-2026-33498, GHSA-9fjp-q3c4-6w3j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q59u-ywkn-wbfw |
|
| 54 |
| url |
VCID-qybe-rg1s-6kau |
| vulnerability_id |
VCID-qybe-rg1s-6kau |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.31 |
| purl |
pkg:npm/parse-server@8.6.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 38 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 39 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 40 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 41 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.31 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.5 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 38 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 39 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 40 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 41 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5 |
|
|
| aliases |
CVE-2026-31871, GHSA-gqpp-xgvh-9h7h
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qybe-rg1s-6kau |
|
| 55 |
| url |
VCID-rbax-edn6-d3aw |
| vulnerability_id |
VCID-rbax-edn6-d3aw |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.9 |
| purl |
pkg:npm/parse-server@8.6.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 39 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 40 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 41 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 42 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 43 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 44 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 45 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 46 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 47 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 48 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 49 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 50 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 51 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 52 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 53 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 54 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 55 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 56 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 57 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 58 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 59 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 60 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 61 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.9 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.9 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 40 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 41 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 42 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 43 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 44 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 45 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 46 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 47 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 48 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 49 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 50 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 51 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 52 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 53 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 54 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 55 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 56 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 57 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 58 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 59 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 60 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 61 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 62 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.9 |
|
|
| aliases |
CVE-2026-30850, GHSA-hwx8-q9cg-mqmc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rbax-edn6-d3aw |
|
| 56 |
| url |
VCID-rr98-m4bd-dqhf |
| vulnerability_id |
VCID-rr98-m4bd-dqhf |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.34 |
| purl |
pkg:npm/parse-server@8.6.34 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 34 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 35 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 36 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 37 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 38 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.34 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.8 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 34 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 35 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 36 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 37 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 38 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8 |
|
|
| aliases |
CVE-2026-31901, GHSA-w54v-hf9p-8856
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rr98-m4bd-dqhf |
|
| 57 |
| url |
VCID-ryzc-v8ju-zbcd |
| vulnerability_id |
VCID-ryzc-v8ju-zbcd |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.10 |
| purl |
pkg:npm/parse-server@8.6.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 39 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 40 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 41 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 42 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 43 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 44 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 45 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 46 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 47 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 48 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 49 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 50 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 51 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 52 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 53 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 54 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 55 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 56 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 57 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 58 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 59 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 60 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.10 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.11 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 39 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 40 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 41 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 42 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 43 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 44 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 45 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 46 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 47 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 48 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 49 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 50 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 51 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 52 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 53 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 54 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 55 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 56 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 57 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 58 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 59 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 60 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.11 |
|
|
| aliases |
CVE-2026-30863, GHSA-x6fw-778m-wr9v
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ryzc-v8ju-zbcd |
|
| 58 |
| url |
VCID-s2mj-yppn-ckaa |
| vulnerability_id |
VCID-s2mj-yppn-ckaa |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.38 |
| purl |
pkg:npm/parse-server@8.6.38 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 32 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 33 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 34 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.38 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.12 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 32 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 33 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 34 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.12 |
|
|
| aliases |
CVE-2026-32248, GHSA-5fw2-8jcv-xh87
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s2mj-yppn-ckaa |
|
| 59 |
| url |
VCID-sj7h-z87x-gfh3 |
| vulnerability_id |
VCID-sj7h-z87x-gfh3 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. The fix in versions 8.6.3 and 9.1.1-alpha.4 hardcodes the expected `RS256` algorithm instead of trusting the JWT header, and replaces the Google adapter's custom key fetcher with `jwks-rsa` which rejects unknown key IDs. As a workaround, dsable Google authentication until upgrading is possible. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.3 |
| purl |
pkg:npm/parse-server@8.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 33 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 34 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 35 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 36 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 37 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 38 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 39 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 40 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 41 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 42 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 43 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 44 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 45 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 46 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 47 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 48 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 49 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 50 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 51 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 52 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 53 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 54 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 55 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 56 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 57 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 58 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 59 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 60 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 61 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 62 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 63 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 64 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 65 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 66 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 67 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.3 |
|
| 1 |
| url |
pkg:npm/parse-server@9.3.1-alpha.4 |
| purl |
pkg:npm/parse-server@9.3.1-alpha.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 18 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 19 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 20 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 21 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 22 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 23 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 24 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 25 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 26 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 27 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 28 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 29 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 30 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 31 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 32 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 33 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 34 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 35 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 36 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 37 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 38 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 39 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 40 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 41 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 42 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 43 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 44 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 45 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 46 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 47 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 48 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 49 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 50 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 51 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 52 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 53 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 54 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 55 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 56 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 57 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 58 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 59 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 60 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 61 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 62 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 63 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 64 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 65 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 66 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 67 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 68 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.3.1-alpha.4 |
|
|
| aliases |
CVE-2026-27804, GHSA-4q3h-vp4r-prv2
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sj7h-z87x-gfh3 |
|
| 60 |
| url |
VCID-smga-c628-mucb |
| vulnerability_id |
VCID-smga-c628-mucb |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.18 |
| purl |
pkg:npm/parse-server@8.6.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 45 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 46 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 47 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 48 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 49 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 50 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 51 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 52 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.18 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.5 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 45 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 46 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 47 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 48 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 49 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 50 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 51 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 52 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.5 |
|
|
| aliases |
CVE-2026-30949, GHSA-48mh-j4p5-7j9v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-smga-c628-mucb |
|
| 61 |
| url |
VCID-tuts-aegs-r7e7 |
| vulnerability_id |
VCID-tuts-aegs-r7e7 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.56 |
| purl |
pkg:npm/parse-server@8.6.56 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.56 |
|
| 1 |
| url |
pkg:npm/parse-server@9.0.0-alpha.1 |
| purl |
pkg:npm/parse-server@9.0.0-alpha.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 1 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 2 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 3 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 4 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 5 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 6 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 7 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 8 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 9 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 10 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 11 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 12 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 13 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 14 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 15 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 16 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 17 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1 |
|
| 2 |
| url |
pkg:npm/parse-server@9.6.0-alpha.45 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.45 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 10 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 11 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 12 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 13 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 14 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 15 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 16 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 17 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45 |
|
|
| aliases |
CVE-2026-33508, GHSA-6qh5-m6g3-xhq6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tuts-aegs-r7e7 |
|
| 62 |
| url |
VCID-u6cq-nd7b-vucm |
| vulnerability_id |
VCID-u6cq-nd7b-vucm |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.8 |
| purl |
pkg:npm/parse-server@8.6.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 17 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 18 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 19 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 20 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 21 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 22 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 23 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 24 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 25 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 26 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 27 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 28 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 29 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 30 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 31 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 32 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 33 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 34 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 35 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 36 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 37 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 38 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 39 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 40 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 41 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 42 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 43 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 44 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 45 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 46 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 47 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 48 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 49 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 50 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 51 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 52 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 53 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 54 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 55 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 56 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 57 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 58 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 59 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 60 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 61 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 62 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.8 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.0-alpha.8 |
| purl |
pkg:npm/parse-server@9.5.0-alpha.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-14sg-981y-pbdx |
|
| 3 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 4 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 5 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 6 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 7 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 8 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 9 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 10 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 11 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 12 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 13 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 14 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 15 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 16 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 17 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 18 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 19 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 20 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 21 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 22 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 23 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 24 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 25 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 26 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 27 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 28 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 29 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 30 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 31 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 32 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 33 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 34 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 35 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 36 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 37 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 38 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 39 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 40 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 41 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 42 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 43 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 44 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 45 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 46 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 47 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 48 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 49 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 50 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 51 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 52 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 53 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 54 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 55 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 56 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 57 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 58 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 59 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 60 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 61 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 62 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 63 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.8 |
|
|
| aliases |
CVE-2026-30848, GHSA-hm3f-q6rw-m6wh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u6cq-nd7b-vucm |
|
| 63 |
| url |
VCID-vmwk-3myb-u7ds |
| vulnerability_id |
VCID-vmwk-3myb-u7ds |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34784, GHSA-hpm8-9qx6-jvwv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vmwk-3myb-u7ds |
|
| 64 |
| url |
VCID-w175-44z9-c3h5 |
| vulnerability_id |
VCID-w175-44z9-c3h5 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.33 |
| purl |
pkg:npm/parse-server@8.6.33 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 38 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 39 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.33 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.7 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 38 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 39 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7 |
|
|
| aliases |
CVE-2026-31875, GHSA-4hf6-3x24-c9m8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w175-44z9-c3h5 |
|
| 65 |
| url |
VCID-wqxc-qnu8-q7d7 |
| vulnerability_id |
VCID-wqxc-qnu8-q7d7 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.59 |
| purl |
pkg:npm/parse-server@8.6.59 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 11 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 12 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 13 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 14 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.59 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.53 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.53 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 1 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 2 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 3 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 4 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 5 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 6 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 7 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 8 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 9 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 10 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 11 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 12 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 13 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 14 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53 |
|
|
| aliases |
CVE-2026-33539, GHSA-p2w6-rmh7-w8q3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wqxc-qnu8-q7d7 |
|
| 66 |
| url |
VCID-wtbe-kc8y-77dk |
| vulnerability_id |
VCID-wtbe-kc8y-77dk |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.22 |
| purl |
pkg:npm/parse-server@8.6.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 14 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 15 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 16 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 17 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 18 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 19 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 20 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 21 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 22 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 23 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 24 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 25 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 26 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 27 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 28 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 29 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 30 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 31 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 32 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 33 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 34 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 35 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 36 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 37 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 38 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 39 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 40 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 41 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 42 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 43 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 44 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 45 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 46 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 47 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 48 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.22 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.9 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 8 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 9 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 10 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 11 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 12 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 13 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 14 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 15 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 16 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 17 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 18 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 19 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 20 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 21 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 22 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 23 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 24 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 25 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 26 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 27 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 28 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 29 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 30 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 31 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 32 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 33 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 34 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 35 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 36 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 37 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 38 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 39 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 40 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 41 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 42 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 43 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 44 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 45 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 46 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 47 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 48 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9 |
|
|
| aliases |
CVE-2026-30967, GHSA-fr88-w35c-r596
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wtbe-kc8y-77dk |
|
| 67 |
| url |
VCID-xrz4-1vpd-2qeg |
| vulnerability_id |
VCID-xrz4-1vpd-2qeg |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.32 |
| purl |
pkg:npm/parse-server@8.6.32 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 38 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 39 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 40 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.32 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.6 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 17 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 18 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 19 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 20 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 21 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 22 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 23 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 24 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 25 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 26 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 27 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 28 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 29 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 30 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 31 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 32 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 33 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 34 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 35 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 36 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 37 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 38 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 39 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 40 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6 |
|
|
| aliases |
CVE-2026-31872, GHSA-r2m8-pxm9-9c4g
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz4-1vpd-2qeg |
|
| 68 |
| url |
VCID-xtz1-mhr3-mkah |
| vulnerability_id |
VCID-xtz1-mhr3-mkah |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query execution statistics and performance metrics, and potential attack vectors for database performance exploitation. In version 8.5.0-alpha.5, a new `databaseOptions.allowPublicExplain` configuration option has been introduced that allows to restrict `explain` queries to the master key. The option defaults to `true` for now to avoid a breaking change in production systems that depends on public `explain` availability. In addition, a security warning is logged when the option is not explicitly set, or set to `true`. In a future major release of Parse Server, the default will change to `false`. As a workaround, implement middleware to block explain queries from non-master-key requests, or monitor and alert on explain query usage in production environments. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.5.0-alpha.5 |
| purl |
pkg:npm/parse-server@8.5.0-alpha.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-22pk-5s6t-ufaw |
|
| 4 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 5 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 6 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 7 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 8 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 9 |
| vulnerability |
VCID-2t98-yfws-zfgn |
|
| 10 |
| vulnerability |
VCID-383v-s4c7-6bfu |
|
| 11 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 12 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 13 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 14 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 15 |
| vulnerability |
VCID-8cct-wkqq-nqdm |
|
| 16 |
| vulnerability |
VCID-9vdy-2u7g-w3cz |
|
| 17 |
| vulnerability |
VCID-anju-zz89-sfad |
|
| 18 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 19 |
| vulnerability |
VCID-brgs-d2uu-a7bt |
|
| 20 |
| vulnerability |
VCID-bzw6-4m1j-6fe2 |
|
| 21 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 22 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 23 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 24 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 25 |
| vulnerability |
VCID-dmkx-64cw-67ae |
|
| 26 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 27 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 28 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 29 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 30 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 31 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 32 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 33 |
| vulnerability |
VCID-gdee-x759-bbg9 |
|
| 34 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 35 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 36 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 37 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 38 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 39 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 40 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 41 |
| vulnerability |
VCID-j8xd-t1fd-hyba |
|
| 42 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 43 |
| vulnerability |
VCID-kgbm-tgkt-nyew |
|
| 44 |
| vulnerability |
VCID-ma3z-wh1c-v7c8 |
|
| 45 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 46 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 47 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 48 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 49 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 50 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 51 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 52 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 53 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 54 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 55 |
| vulnerability |
VCID-rbax-edn6-d3aw |
|
| 56 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 57 |
| vulnerability |
VCID-ryzc-v8ju-zbcd |
|
| 58 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 59 |
| vulnerability |
VCID-sj7h-z87x-gfh3 |
|
| 60 |
| vulnerability |
VCID-smga-c628-mucb |
|
| 61 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 62 |
| vulnerability |
VCID-u6cq-nd7b-vucm |
|
| 63 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 64 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 65 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 66 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 67 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 68 |
| vulnerability |
VCID-yup6-6p9f-n7bu |
|
| 69 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 70 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.5.0-alpha.5 |
|
|
| aliases |
CVE-2025-64502, GHSA-7cx5-254x-cgrq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xtz1-mhr3-mkah |
|
| 69 |
| url |
VCID-yup6-6p9f-n7bu |
| vulnerability_id |
VCID-yup6-6p9f-n7bu |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.19 |
| purl |
pkg:npm/parse-server@8.6.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 45 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 46 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 47 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 48 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 49 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 50 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 51 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.19 |
|
| 1 |
| url |
pkg:npm/parse-server@9.5.2-alpha.6 |
| purl |
pkg:npm/parse-server@9.5.2-alpha.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-262h-v1yd-tfc9 |
|
| 4 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 5 |
| vulnerability |
VCID-2qbc-paq8-2fgn |
|
| 6 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 7 |
| vulnerability |
VCID-2syy-yyte-nug4 |
|
| 8 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 9 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 10 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 11 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 12 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 13 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 14 |
| vulnerability |
VCID-caj3-ujpk-hba5 |
|
| 15 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 16 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 17 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 18 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 19 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 20 |
| vulnerability |
VCID-ee1t-31wz-ufbw |
|
| 21 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 22 |
| vulnerability |
VCID-fdqv-3n6r-2fgb |
|
| 23 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 24 |
| vulnerability |
VCID-gjus-pwzw-qufs |
|
| 25 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 26 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 27 |
| vulnerability |
VCID-hh7p-ae88-z3fs |
|
| 28 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 29 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 30 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 31 |
| vulnerability |
VCID-jh6w-1y2k-27de |
|
| 32 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 33 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 34 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 35 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 36 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 37 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 38 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 39 |
| vulnerability |
VCID-pkkz-wwqa-1ufw |
|
| 40 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 41 |
| vulnerability |
VCID-qybe-rg1s-6kau |
|
| 42 |
| vulnerability |
VCID-rr98-m4bd-dqhf |
|
| 43 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 44 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 45 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 46 |
| vulnerability |
VCID-w175-44z9-c3h5 |
|
| 47 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 48 |
| vulnerability |
VCID-wtbe-kc8y-77dk |
|
| 49 |
| vulnerability |
VCID-xrz4-1vpd-2qeg |
|
| 50 |
| vulnerability |
VCID-zrvb-y7f6-ykby |
|
| 51 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.6 |
|
|
| aliases |
CVE-2026-30962, GHSA-72hp-qff8-4pvv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yup6-6p9f-n7bu |
|
| 70 |
| url |
VCID-zrvb-y7f6-ykby |
| vulnerability_id |
VCID-zrvb-y7f6-ykby |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.6.37. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/parse-server@8.6.37 |
| purl |
pkg:npm/parse-server@8.6.37 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 32 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 33 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 34 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 35 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.37 |
|
| 1 |
| url |
pkg:npm/parse-server@9.6.0-alpha.11 |
| purl |
pkg:npm/parse-server@9.6.0-alpha.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13fb-z2vs-83hu |
|
| 1 |
| vulnerability |
VCID-14fp-bjdd-uffh |
|
| 2 |
| vulnerability |
VCID-1y9a-gb1j-ufdu |
|
| 3 |
| vulnerability |
VCID-2fzy-ajnc-fbf9 |
|
| 4 |
| vulnerability |
VCID-2rxm-qxur-9ygu |
|
| 5 |
| vulnerability |
VCID-49m3-j488-yqes |
|
| 6 |
| vulnerability |
VCID-53r7-9knw-u7bd |
|
| 7 |
| vulnerability |
VCID-5bbt-8378-17d1 |
|
| 8 |
| vulnerability |
VCID-7jbf-hw56-9bcx |
|
| 9 |
| vulnerability |
VCID-bpp2-r2wr-vkf6 |
|
| 10 |
| vulnerability |
VCID-ca2c-skt8-mqau |
|
| 11 |
| vulnerability |
VCID-cbrh-vg1p-3ua7 |
|
| 12 |
| vulnerability |
VCID-dhkw-d15h-rkb5 |
|
| 13 |
| vulnerability |
VCID-dyd6-6yy1-hyhn |
|
| 14 |
| vulnerability |
VCID-e7pg-sdu5-mkhh |
|
| 15 |
| vulnerability |
VCID-e84c-36en-wqaa |
|
| 16 |
| vulnerability |
VCID-evdb-d9ew-pbfq |
|
| 17 |
| vulnerability |
VCID-g9b7-r5ry-mybm |
|
| 18 |
| vulnerability |
VCID-gngn-8vy6-bkg7 |
|
| 19 |
| vulnerability |
VCID-hbms-u2mt-jyhn |
|
| 20 |
| vulnerability |
VCID-hs5q-jk5r-7ya8 |
|
| 21 |
| vulnerability |
VCID-j3ba-adds-muay |
|
| 22 |
| vulnerability |
VCID-j6sw-ak9p-nyhc |
|
| 23 |
| vulnerability |
VCID-mdgb-p4u1-uud5 |
|
| 24 |
| vulnerability |
VCID-mm7p-maf1-eyhq |
|
| 25 |
| vulnerability |
VCID-mxgt-92ep-73fj |
|
| 26 |
| vulnerability |
VCID-n4s7-6vvk-skfz |
|
| 27 |
| vulnerability |
VCID-n5mt-eebx-zbcf |
|
| 28 |
| vulnerability |
VCID-nqev-h9w8-pudy |
|
| 29 |
| vulnerability |
VCID-nt51-v9gk-w3e8 |
|
| 30 |
| vulnerability |
VCID-q59u-ywkn-wbfw |
|
| 31 |
| vulnerability |
VCID-s2mj-yppn-ckaa |
|
| 32 |
| vulnerability |
VCID-tuts-aegs-r7e7 |
|
| 33 |
| vulnerability |
VCID-vmwk-3myb-u7ds |
|
| 34 |
| vulnerability |
VCID-wqxc-qnu8-q7d7 |
|
| 35 |
| vulnerability |
VCID-zx4t-zth8-7fe5 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.11 |
|
|
| aliases |
CVE-2026-32242, GHSA-2cjm-2gwv-m892
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zrvb-y7f6-ykby |
|
| 71 |
| url |
VCID-zx4t-zth8-7fe5 |
| vulnerability_id |
VCID-zx4t-zth8-7fe5 |
| summary |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34532, GHSA-vpj2-qq7w-5qq6
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zx4t-zth8-7fe5 |
|