{"url":"http://public2.vulnerablecode.io/api/packages/375232?format=json","purl":"pkg:npm/parse-server@8.6.54","type":"npm","namespace":"","name":"parse-server","version":"8.6.54","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.6.76","latest_non_vulnerable_version":"9.9.1-alpha.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/72869?format=json","vulnerability_id":"VCID-14fp-bjdd-uffh","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39381","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08572","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08613","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08617","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10074","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39381"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39381","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39381"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10406","reference_id":"10406","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10406"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10407","reference_id":"10407","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10407"},{"reference_url":"https://github.com/advisories/GHSA-g4v2-qx3q-4p64","reference_id":"GHSA-g4v2-qx3q-4p64","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g4v2-qx3q-4p64"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64","reference_id":"GHSA-g4v2-qx3q-4p64","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374063?format=json","purl":"pkg:npm/parse-server@8.6.75","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dhkw-d15h-rkb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.75"},{"url":"http://public2.vulnerablecode.io/api/packages/374062?format=json","purl":"pkg:npm/parse-server@9.8.0-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dhkw-d15h-rkb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.7"}],"aliases":["CVE-2026-39381","GHSA-g4v2-qx3q-4p64"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-14fp-bjdd-uffh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78310?format=json","vulnerability_id":"VCID-2rxm-qxur-9ygu","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33624","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09911","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09951","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.0996","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09965","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33624"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33624","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33624"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10275","reference_id":"10275","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10275"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10276","reference_id":"10276","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10276"},{"reference_url":"https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff","reference_id":"5e70094250a36bfcc14ecd49592be2b94fba66ff","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/"}],"url":"https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff"},{"reference_url":"https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c","reference_id":"fc3da35a81d5083b453e8967cabcc880f1a3bd0c","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/"}],"url":"https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c"},{"reference_url":"https://github.com/advisories/GHSA-2299-ghjr-6vjp","reference_id":"GHSA-2299-ghjr-6vjp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2299-ghjr-6vjp"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp","reference_id":"GHSA-2299-ghjr-6vjp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375145?format=json","purl":"pkg:npm/parse-server@8.6.60","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.60"},{"url":"http://public2.vulnerablecode.io/api/packages/375144?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.54","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54"}],"aliases":["CVE-2026-33624","GHSA-2299-ghjr-6vjp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2rxm-qxur-9ygu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75115?format=json","vulnerability_id":"VCID-49m3-j488-yqes","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34373","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06235","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06228","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06257","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06245","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34373"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34373","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34373"},{"reference_url":"https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263","reference_id":"0347641507891d0013ec57f7c10f012064f41263","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10334","reference_id":"10334","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10334"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10335","reference_id":"10335","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10335"},{"reference_url":"https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203","reference_id":"4dd0d3d8be1c39664c74ad10bb0abaa76bc41203","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203"},{"reference_url":"https://github.com/advisories/GHSA-q3p6-g7c4-829c","reference_id":"GHSA-q3p6-g7c4-829c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3p6-g7c4-829c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c","reference_id":"GHSA-q3p6-g7c4-829c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374641?format=json","purl":"pkg:npm/parse-server@8.6.66","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.66"},{"url":"http://public2.vulnerablecode.io/api/packages/374640?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10"}],"aliases":["CVE-2026-34373","GHSA-q3p6-g7c4-829c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-49m3-j488-yqes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75119?format=json","vulnerability_id":"VCID-7jbf-hw56-9bcx","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34224","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04657","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04677","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04679","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04665","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34224"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34224","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34224"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10326","reference_id":"10326","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10326"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10327","reference_id":"10327","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10327"},{"reference_url":"https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92","reference_id":"661f160edac8daac0486bc94413cf9652876ab92","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/"}],"url":"https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92"},{"reference_url":"https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf","reference_id":"e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/"}],"url":"https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf"},{"reference_url":"https://github.com/advisories/GHSA-w73w-g5xw-rwhf","reference_id":"GHSA-w73w-g5xw-rwhf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w73w-g5xw-rwhf"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf","reference_id":"GHSA-w73w-g5xw-rwhf","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374818?format=json","purl":"pkg:npm/parse-server@8.6.64","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.64"},{"url":"http://public2.vulnerablecode.io/api/packages/374817?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8"}],"aliases":["CVE-2026-34224","GHSA-w73w-g5xw-rwhf"],"risk_score":2.0,"exploitability":"0.5","weighted_severity":"4.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbf-hw56-9bcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74997?format=json","vulnerability_id":"VCID-cbrh-vg1p-3ua7","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34595","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.1263","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12707","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12722","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12729","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34595"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34595","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34595"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10350","reference_id":"10350","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10350"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10351","reference_id":"10351","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10351"},{"reference_url":"https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98","reference_id":"f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/"}],"url":"https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98"},{"reference_url":"https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2","reference_id":"ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/"}],"url":"https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2"},{"reference_url":"https://github.com/advisories/GHSA-mmg8-87c5-jrc2","reference_id":"GHSA-mmg8-87c5-jrc2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmg8-87c5-jrc2"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2","reference_id":"GHSA-mmg8-87c5-jrc2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373556?format=json","purl":"pkg:npm/parse-server@8.6.70","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.70"},{"url":"http://public2.vulnerablecode.io/api/packages/373555?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16"}],"aliases":["CVE-2026-34595","GHSA-mmg8-87c5-jrc2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cbrh-vg1p-3ua7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65541?format=json","vulnerability_id":"VCID-dhkw-d15h-rkb5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43930","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01108","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01301","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01106","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01296","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43930"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43930","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43930"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10448","reference_id":"10448","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10448"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10449","reference_id":"10449","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10449"},{"reference_url":"https://github.com/advisories/GHSA-jpq4-7fmq-q5fj","reference_id":"GHSA-jpq4-7fmq-q5fj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jpq4-7fmq-q5fj"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj","reference_id":"GHSA-jpq4-7fmq-q5fj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375442?format=json","purl":"pkg:npm/parse-server@8.6.76","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.76"},{"url":"http://public2.vulnerablecode.io/api/packages/375441?format=json","purl":"pkg:npm/parse-server@9.9.0-alpha.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2"}],"aliases":["CVE-2026-43930","GHSA-jpq4-7fmq-q5fj"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dhkw-d15h-rkb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/73029?format=json","vulnerability_id":"VCID-dyd6-6yy1-hyhn","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39321","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09019","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.0907","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09067","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09485","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39321"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39321","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39321"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10398","reference_id":"10398","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10398"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10399","reference_id":"10399","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10399"},{"reference_url":"https://github.com/advisories/GHSA-mmpq-5hcv-hf2v","reference_id":"GHSA-mmpq-5hcv-hf2v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmpq-5hcv-hf2v"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v","reference_id":"GHSA-mmpq-5hcv-hf2v","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373414?format=json","purl":"pkg:npm/parse-server@8.6.74","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.74"},{"url":"http://public2.vulnerablecode.io/api/packages/373413?format=json","purl":"pkg:npm/parse-server@9.8.0-alpha.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6"}],"aliases":["CVE-2026-39321","GHSA-mmpq-5hcv-hf2v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dyd6-6yy1-hyhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75142?format=json","vulnerability_id":"VCID-gngn-8vy6-bkg7","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34215","reference_id":"","reference_type":"","scores":[{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.24728","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.24923","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.2494","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.24927","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34215"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34215","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34215"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10323","reference_id":"10323","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10323"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10324","reference_id":"10324","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10324"},{"reference_url":"https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed","reference_id":"770be8647424d92f5425c41fa81065ffbbb171ed","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed"},{"reference_url":"https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c","reference_id":"a1d4e7b12a12f16d3870dbee582a36765858e94c","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c"},{"reference_url":"https://github.com/advisories/GHSA-wp76-gg32-8258","reference_id":"GHSA-wp76-gg32-8258","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wp76-gg32-8258"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258","reference_id":"GHSA-wp76-gg32-8258","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374847?format=json","purl":"pkg:npm/parse-server@8.6.63","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.63"},{"url":"http://public2.vulnerablecode.io/api/packages/374846?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7"}],"aliases":["CVE-2026-34215","GHSA-wp76-gg32-8258"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gngn-8vy6-bkg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75150?format=json","vulnerability_id":"VCID-hs5q-jk5r-7ya8","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34363","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.0685","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06848","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06862","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06874","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34363"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34363","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34363"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10330","reference_id":"10330","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10330"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10331","reference_id":"10331","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10331"},{"reference_url":"https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b","reference_id":"5834e29234593addaa0251a85f572ad4f376320b","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/"}],"url":"https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b"},{"reference_url":"https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055","reference_id":"776c71c3078e77d38c94937f463741793609d055","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/"}],"url":"https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055"},{"reference_url":"https://github.com/advisories/GHSA-m983-v2ff-wq65","reference_id":"GHSA-m983-v2ff-wq65","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m983-v2ff-wq65"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65","reference_id":"GHSA-m983-v2ff-wq65","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374705?format=json","purl":"pkg:npm/parse-server@8.6.65","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.65"},{"url":"http://public2.vulnerablecode.io/api/packages/374704?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9"}],"aliases":["CVE-2026-34363","GHSA-m983-v2ff-wq65"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5q-jk5r-7ya8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78078?format=json","vulnerability_id":"VCID-mdgb-p4u1-uud5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33527","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02576","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02569","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02579","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33527"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33527","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33527"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10263","reference_id":"10263","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10263"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10264","reference_id":"10264","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10264"},{"reference_url":"https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73","reference_id":"26b628c8fb3cc79ea955374769eebcff6f8a8a73","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/"}],"url":"https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73"},{"reference_url":"https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984","reference_id":"ea68fc0b22a6056c9675149469ff57817f7cf984","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/"}],"url":"https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984"},{"reference_url":"https://github.com/advisories/GHSA-jc39-686j-wp6q","reference_id":"GHSA-jc39-686j-wp6q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jc39-686j-wp6q"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q","reference_id":"GHSA-jc39-686j-wp6q","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374688?format=json","purl":"pkg:npm/parse-server@8.6.57","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.57"},{"url":"http://public2.vulnerablecode.io/api/packages/374687?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.48","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48"}],"aliases":["CVE-2026-33527","GHSA-jc39-686j-wp6q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mdgb-p4u1-uud5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74879?format=json","vulnerability_id":"VCID-mm7p-maf1-eyhq","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34574","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.1263","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12707","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12722","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12729","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34574"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34574","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34574"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10347","reference_id":"10347","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10347"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10348","reference_id":"10348","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10348"},{"reference_url":"https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21","reference_id":"90802969fc713b7bc9733d7255c7519a6ed75d21","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/"}],"url":"https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21"},{"reference_url":"https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777","reference_id":"ebccd7fe2708007e62f705ee1c820a6766178777","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/"}],"url":"https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777"},{"reference_url":"https://github.com/advisories/GHSA-f6j3-w9v3-cq22","reference_id":"GHSA-f6j3-w9v3-cq22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6j3-w9v3-cq22"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22","reference_id":"GHSA-f6j3-w9v3-cq22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373426?format=json","purl":"pkg:npm/parse-server@8.6.69","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.69"},{"url":"http://public2.vulnerablecode.io/api/packages/373425?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14"}],"aliases":["CVE-2026-34574","GHSA-f6j3-w9v3-cq22"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7p-maf1-eyhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77818?format=json","vulnerability_id":"VCID-mxgt-92ep-73fj","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33538","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34156","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34337","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34358","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34333","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33538"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33538","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33538"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10270","reference_id":"10270","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10270"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10271","reference_id":"10271","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10271"},{"reference_url":"https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357","reference_id":"40eb442e02672986730007d0a1edb22c1c4bd357","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/"}],"url":"https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357"},{"reference_url":"https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54","reference_id":"fbac847499e57f243315c5fc7135be1d58bb8e54","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/"}],"url":"https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54"},{"reference_url":"https://github.com/advisories/GHSA-g4cf-xj29-wqqr","reference_id":"GHSA-g4cf-xj29-wqqr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g4cf-xj29-wqqr"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr","reference_id":"GHSA-g4cf-xj29-wqqr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374907?format=json","purl":"pkg:npm/parse-server@8.6.58","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.58"},{"url":"http://public2.vulnerablecode.io/api/packages/374906?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.52","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52"}],"aliases":["CVE-2026-33538","GHSA-g4cf-xj29-wqqr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mxgt-92ep-73fj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74749?format=json","vulnerability_id":"VCID-n4s7-6vvk-skfz","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34573","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05341","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05343","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05353","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05359","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34573"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34573","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34573"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10344","reference_id":"10344","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10344"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10345","reference_id":"10345","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10345"},{"reference_url":"https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295","reference_id":"ea15412795f34594cc8a674fe858d445675e0295","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/"}],"url":"https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295"},{"reference_url":"https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b","reference_id":"f759bda075298ec44e2b4fb57659a0c56620483b","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/"}],"url":"https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b"},{"reference_url":"https://github.com/advisories/GHSA-mfj6-6p54-m98c","reference_id":"GHSA-mfj6-6p54-m98c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mfj6-6p54-m98c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c","reference_id":"GHSA-mfj6-6p54-m98c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374810?format=json","purl":"pkg:npm/parse-server@8.6.68","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.68"},{"url":"http://public2.vulnerablecode.io/api/packages/374809?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12"}],"aliases":["CVE-2026-34573","GHSA-mfj6-6p54-m98c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n4s7-6vvk-skfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78070?format=json","vulnerability_id":"VCID-nqev-h9w8-pudy","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33627","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12016","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12088","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12109","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12108","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33627"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33627","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33627"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10278","reference_id":"10278","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10278"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10279","reference_id":"10279","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10279"},{"reference_url":"https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c","reference_id":"5b8998e6866bcf75be7b5bb625e27d23bfaf912c","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/"}],"url":"https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c"},{"reference_url":"https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f","reference_id":"875cf10ac979bd60f70e7a0c534e2bc194d6982f","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/"}],"url":"https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f"},{"reference_url":"https://github.com/advisories/GHSA-37mj-c2wf-cx96","reference_id":"GHSA-37mj-c2wf-cx96","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37mj-c2wf-cx96"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96","reference_id":"GHSA-37mj-c2wf-cx96","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374932?format=json","purl":"pkg:npm/parse-server@8.6.61","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.61"},{"url":"http://public2.vulnerablecode.io/api/packages/374931?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.55","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55"}],"aliases":["CVE-2026-33627","GHSA-37mj-c2wf-cx96"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nqev-h9w8-pudy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71781?format=json","vulnerability_id":"VCID-nt51-v9gk-w3e8","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35200","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09965","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.10014","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11654","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11677","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35200"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35200","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35200"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10383","reference_id":"10383","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10383"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10384","reference_id":"10384","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10384"},{"reference_url":"https://github.com/advisories/GHSA-vr5f-2r24-w5hc","reference_id":"GHSA-vr5f-2r24-w5hc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vr5f-2r24-w5hc"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc","reference_id":"GHSA-vr5f-2r24-w5hc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374117?format=json","purl":"pkg:npm/parse-server@8.6.73","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.73"},{"url":"http://public2.vulnerablecode.io/api/packages/374116?format=json","purl":"pkg:npm/parse-server@9.7.1-alpha.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4"}],"aliases":["CVE-2026-35200","GHSA-vr5f-2r24-w5hc"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nt51-v9gk-w3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75005?format=json","vulnerability_id":"VCID-vmwk-3myb-u7ds","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34784","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03955","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0396","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03971","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34784"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34784","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34784"},{"reference_url":"https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337","reference_id":"053109b3ee71815bc39ed84116c108ff9edbf337","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/"}],"url":"https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10361","reference_id":"10361","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10361"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10362","reference_id":"10362","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10362"},{"reference_url":"https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22","reference_id":"a0b0c69fc44f87f80d793d257344e7dcbf676e22","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/"}],"url":"https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22"},{"reference_url":"https://github.com/advisories/GHSA-hpm8-9qx6-jvwv","reference_id":"GHSA-hpm8-9qx6-jvwv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hpm8-9qx6-jvwv"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv","reference_id":"GHSA-hpm8-9qx6-jvwv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374144?format=json","purl":"pkg:npm/parse-server@8.6.71","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.71"},{"url":"http://public2.vulnerablecode.io/api/packages/374143?format=json","purl":"pkg:npm/parse-server@9.7.1-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-nt51-v9gk-w3e8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1"}],"aliases":["CVE-2026-34784","GHSA-hpm8-9qx6-jvwv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vmwk-3myb-u7ds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78118?format=json","vulnerability_id":"VCID-wqxc-qnu8-q7d7","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33539","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07139","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07161","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07172","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07166","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33539"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33539","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33539"},{"reference_url":"https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c","reference_id":"03249f9bf5b8783c8b848f84dab791ff0b761b8c","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/"}],"url":"https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10272","reference_id":"10272","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10272"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10273","reference_id":"10273","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10273"},{"reference_url":"https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e","reference_id":"bdddab5f8b61a40cb8fc62dd895887bdd2f3838e","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/"}],"url":"https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e"},{"reference_url":"https://github.com/advisories/GHSA-p2w6-rmh7-w8q3","reference_id":"GHSA-p2w6-rmh7-w8q3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p2w6-rmh7-w8q3"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3","reference_id":"GHSA-p2w6-rmh7-w8q3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374808?format=json","purl":"pkg:npm/parse-server@8.6.59","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.59"},{"url":"http://public2.vulnerablecode.io/api/packages/374807?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.53","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53"}],"aliases":["CVE-2026-33539","GHSA-p2w6-rmh7-w8q3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqxc-qnu8-q7d7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75237?format=json","vulnerability_id":"VCID-zx4t-zth8-7fe5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending \"prototype.constructor\" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34532","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13654","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13742","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13772","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13771","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34532"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34532","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34532"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10342","reference_id":"10342","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10342"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10343","reference_id":"10343","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10343"},{"reference_url":"https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7","reference_id":"4fc48cf28f22eea200d74d883505f485234a48d7","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/"}],"url":"https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7"},{"reference_url":"https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674","reference_id":"dc59e272665644083c5b7f6862d88ce1ef0b2674","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/"}],"url":"https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674"},{"reference_url":"https://github.com/advisories/GHSA-vpj2-qq7w-5qq6","reference_id":"GHSA-vpj2-qq7w-5qq6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpj2-qq7w-5qq6"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6","reference_id":"GHSA-vpj2-qq7w-5qq6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374868?format=json","purl":"pkg:npm/parse-server@8.6.67","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.67"},{"url":"http://public2.vulnerablecode.io/api/packages/374867?format=json","purl":"pkg:npm/parse-server@9.7.0-alpha.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11"}],"aliases":["CVE-2026-34532","GHSA-vpj2-qq7w-5qq6"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zx4t-zth8-7fe5"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78114?format=json","vulnerability_id":"VCID-e84c-36en-wqaa","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33429","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03023","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03032","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03021","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03036","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33429"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33429","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33429"},{"reference_url":"https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b","reference_id":"0c0a0a5a37ca821d2553119f2cb3be35322eda4b","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10253","reference_id":"10253","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10253"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10254","reference_id":"10254","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10254"},{"reference_url":"https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67","reference_id":"c62eacaf38de86913f09240583448360b1cc8e67","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67"},{"reference_url":"https://github.com/advisories/GHSA-qpc3-fg4j-8hgm","reference_id":"GHSA-qpc3-fg4j-8hgm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpc3-fg4j-8hgm"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm","reference_id":"GHSA-qpc3-fg4j-8hgm","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375232?format=json","purl":"pkg:npm/parse-server@8.6.54","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/375231?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.43","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43"}],"aliases":["CVE-2026-33429","GHSA-qpc3-fg4j-8hgm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54"}