{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","type":"npm","namespace":"","name":"parse-server","version":"9.0.0-alpha.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.9.0-alpha.2","latest_non_vulnerable_version":"9.9.1-alpha.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71253?format=json","vulnerability_id":"VCID-262h-v1yd-tfc9","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31856","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13419","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13311","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31856"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.29","reference_id":"8.6.29","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.29"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3","reference_id":"9.6.0-alpha.3","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31856","reference_id":"CVE-2026-31856","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31856"},{"reference_url":"https://github.com/advisories/GHSA-q3vj-96h2-gwvg","reference_id":"GHSA-q3vj-96h2-gwvg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3vj-96h2-gwvg"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg","reference_id":"GHSA-q3vj-96h2-gwvg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40678?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3"}],"aliases":["CVE-2026-31856","GHSA-q3vj-96h2-gwvg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-262h-v1yd-tfc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66602?format=json","vulnerability_id":"VCID-2syy-yyte-nug4","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30965","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25394","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25196","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30965"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.21","reference_id":"8.6.21","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.21"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8","reference_id":"9.5.2-alpha.8","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30965","reference_id":"CVE-2026-30965","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30965"},{"reference_url":"https://github.com/advisories/GHSA-6r2j-cxgf-495f","reference_id":"GHSA-6r2j-cxgf-495f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6r2j-cxgf-495f"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f","reference_id":"GHSA-6r2j-cxgf-495f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40651?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8"}],"aliases":["CVE-2026-30965","GHSA-6r2j-cxgf-495f"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2syy-yyte-nug4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66328?format=json","vulnerability_id":"VCID-383v-s4c7-6bfu","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30939","reference_id":"","reference_type":"","scores":[{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39833","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39663","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30939"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.13","reference_id":"8.6.13","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.13"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2","reference_id":"9.5.1-alpha.2","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30939","reference_id":"CVE-2026-30939","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30939"},{"reference_url":"https://github.com/advisories/GHSA-5j86-7r7m-p8h6","reference_id":"GHSA-5j86-7r7m-p8h6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5j86-7r7m-p8h6"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6","reference_id":"GHSA-5j86-7r7m-p8h6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40426?format=json","purl":"pkg:npm/parse-server@9.5.1-alpha.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2"}],"aliases":["CVE-2026-30939","GHSA-5j86-7r7m-p8h6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-383v-s4c7-6bfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66471?format=json","vulnerability_id":"VCID-8cct-wkqq-nqdm","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30938","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.21126","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.2095","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30938"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.12","reference_id":"8.6.12","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.12"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1","reference_id":"9.5.1-alpha.1","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30938","reference_id":"CVE-2026-30938","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30938"},{"reference_url":"https://github.com/advisories/GHSA-q342-9w2p-57fp","reference_id":"GHSA-q342-9w2p-57fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q342-9w2p-57fp"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp","reference_id":"GHSA-q342-9w2p-57fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40422?format=json","purl":"pkg:npm/parse-server@9.5.1-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1"}],"aliases":["CVE-2026-30938","GHSA-q342-9w2p-57fp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8cct-wkqq-nqdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66590?format=json","vulnerability_id":"VCID-bzw6-4m1j-6fe2","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30925","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06084","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06061","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30925"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.11","reference_id":"8.6.11","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.11"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14","reference_id":"9.5.0-alpha.14","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30925","reference_id":"CVE-2026-30925","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30925"},{"reference_url":"https://github.com/advisories/GHSA-mf3j-86qx-cq5j","reference_id":"GHSA-mf3j-86qx-cq5j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mf3j-86qx-cq5j"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j","reference_id":"GHSA-mf3j-86qx-cq5j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40420?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.14"}],"aliases":["CVE-2026-30925","GHSA-mf3j-86qx-cq5j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw6-4m1j-6fe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66514?format=json","vulnerability_id":"VCID-caj3-ujpk-hba5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30972","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19664","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.1949","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30972"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.23","reference_id":"8.6.23","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.23"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10","reference_id":"9.5.2-alpha.10","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30972","reference_id":"CVE-2026-30972","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30972"},{"reference_url":"https://github.com/advisories/GHSA-775h-3xrc-c228","reference_id":"GHSA-775h-3xrc-c228","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-775h-3xrc-c228"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228","reference_id":"GHSA-775h-3xrc-c228","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40658?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10"}],"aliases":["CVE-2026-30972","GHSA-775h-3xrc-c228"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-caj3-ujpk-hba5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71310?format=json","vulnerability_id":"VCID-fdqv-3n6r-2fgb","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31868","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20191","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20019","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31868"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.30","reference_id":"8.6.30","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.30"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4","reference_id":"9.6.0-alpha.4","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31868","reference_id":"CVE-2026-31868","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31868"},{"reference_url":"https://github.com/advisories/GHSA-v5hf-f4c3-m5rv","reference_id":"GHSA-v5hf-f4c3-m5rv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v5hf-f4c3-m5rv"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv","reference_id":"GHSA-v5hf-f4c3-m5rv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40686?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4"}],"aliases":["CVE-2026-31868","GHSA-v5hf-f4c3-m5rv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqv-3n6r-2fgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71319?format=json","vulnerability_id":"VCID-gjus-pwzw-qufs","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31828","reference_id":"","reference_type":"","scores":[{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37423","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37245","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31828"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.26","reference_id":"8.6.26","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.26"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13","reference_id":"9.5.2-alpha.13","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31828","reference_id":"CVE-2026-31828","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31828"},{"reference_url":"https://github.com/advisories/GHSA-7m6r-fhh7-r47c","reference_id":"GHSA-7m6r-fhh7-r47c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7m6r-fhh7-r47c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c","reference_id":"GHSA-7m6r-fhh7-r47c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40664?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13"}],"aliases":["CVE-2026-31828","GHSA-7m6r-fhh7-r47c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gjus-pwzw-qufs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71291?format=json","vulnerability_id":"VCID-jh6w-1y2k-27de","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31800","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28346","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.2815","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31800"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.25","reference_id":"8.6.25","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.25"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12","reference_id":"9.5.2-alpha.12","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31800","reference_id":"CVE-2026-31800","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31800"},{"reference_url":"https://github.com/advisories/GHSA-7xg7-rqf6-pw6c","reference_id":"GHSA-7xg7-rqf6-pw6c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7xg7-rqf6-pw6c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c","reference_id":"GHSA-7xg7-rqf6-pw6c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40661?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12"}],"aliases":["CVE-2026-31800","GHSA-7xg7-rqf6-pw6c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6w-1y2k-27de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66452?format=json","vulnerability_id":"VCID-pkkz-wwqa-1ufw","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30966","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20308","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20132","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30966"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.20","reference_id":"8.6.20","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.20"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7","reference_id":"9.5.2-alpha.7","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30966","reference_id":"CVE-2026-30966","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30966"},{"reference_url":"https://github.com/advisories/GHSA-5f92-jrq3-28rc","reference_id":"GHSA-5f92-jrq3-28rc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5f92-jrq3-28rc"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc","reference_id":"GHSA-5f92-jrq3-28rc","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40654?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7"}],"aliases":["CVE-2026-30966","GHSA-5f92-jrq3-28rc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pkkz-wwqa-1ufw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71476?format=json","vulnerability_id":"VCID-qybe-rg1s-6kau","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31871","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13419","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13311","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31871"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.31","reference_id":"8.6.31","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.31"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5","reference_id":"9.6.0-alpha.5","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31871","reference_id":"CVE-2026-31871","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31871"},{"reference_url":"https://github.com/advisories/GHSA-gqpp-xgvh-9h7h","reference_id":"GHSA-gqpp-xgvh-9h7h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqpp-xgvh-9h7h"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h","reference_id":"GHSA-gqpp-xgvh-9h7h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40689?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5"}],"aliases":["CVE-2026-31871","GHSA-gqpp-xgvh-9h7h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qybe-rg1s-6kau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66426?format=json","vulnerability_id":"VCID-rbax-edn6-d3aw","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30850","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06172","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06191","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30850"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30850","reference_id":"CVE-2026-30850","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30850"},{"reference_url":"https://github.com/advisories/GHSA-hwx8-q9cg-mqmc","reference_id":"GHSA-hwx8-q9cg-mqmc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hwx8-q9cg-mqmc"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc","reference_id":"GHSA-hwx8-q9cg-mqmc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:46Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40402?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-14sg-981y-pbdx"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.9"}],"aliases":["CVE-2026-30850","GHSA-hwx8-q9cg-mqmc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rbax-edn6-d3aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71429?format=json","vulnerability_id":"VCID-rr98-m4bd-dqhf","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31901","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14195","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14077","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31901"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.34","reference_id":"8.6.34","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.34"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8","reference_id":"9.6.0-alpha.8","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31901","reference_id":"CVE-2026-31901","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31901"},{"reference_url":"https://github.com/advisories/GHSA-w54v-hf9p-8856","reference_id":"GHSA-w54v-hf9p-8856","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w54v-hf9p-8856"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856","reference_id":"GHSA-w54v-hf9p-8856","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40694?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8"}],"aliases":["CVE-2026-31901","GHSA-w54v-hf9p-8856"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rr98-m4bd-dqhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66316?format=json","vulnerability_id":"VCID-ryzc-v8ju-zbcd","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30863","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10493","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10547","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30863"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30863","reference_id":"CVE-2026-30863","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30863"},{"reference_url":"https://github.com/advisories/GHSA-x6fw-778m-wr9v","reference_id":"GHSA-x6fw-778m-wr9v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x6fw-778m-wr9v"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v","reference_id":"GHSA-x6fw-778m-wr9v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-09T16:43:47Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40406?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.11"}],"aliases":["CVE-2026-30863","GHSA-x6fw-778m-wr9v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ryzc-v8ju-zbcd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66600?format=json","vulnerability_id":"VCID-u6cq-nd7b-vucm","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30848","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06466","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06485","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30848"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30848","reference_id":"CVE-2026-30848","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30848"},{"reference_url":"https://github.com/advisories/GHSA-hm3f-q6rw-m6wh","reference_id":"GHSA-hm3f-q6rw-m6wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm3f-q6rw-m6wh"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh","reference_id":"GHSA-hm3f-q6rw-m6wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:49Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40397?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-14sg-981y-pbdx"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.8"}],"aliases":["CVE-2026-30848","GHSA-hm3f-q6rw-m6wh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u6cq-nd7b-vucm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71323?format=json","vulnerability_id":"VCID-w175-44z9-c3h5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31875","reference_id":"","reference_type":"","scores":[{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33867","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33687","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31875"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.33","reference_id":"8.6.33","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.33"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7","reference_id":"9.6.0-alpha.7","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31875","reference_id":"CVE-2026-31875","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31875"},{"reference_url":"https://github.com/advisories/GHSA-4hf6-3x24-c9m8","reference_id":"GHSA-4hf6-3x24-c9m8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hf6-3x24-c9m8"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8","reference_id":"GHSA-4hf6-3x24-c9m8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40692?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7"}],"aliases":["CVE-2026-31875","GHSA-4hf6-3x24-c9m8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w175-44z9-c3h5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66569?format=json","vulnerability_id":"VCID-wtbe-kc8y-77dk","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30967","reference_id":"","reference_type":"","scores":[{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31848","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.3166","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30967"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.22","reference_id":"8.6.22","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.22"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9","reference_id":"9.5.2-alpha.9","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30967","reference_id":"CVE-2026-30967","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30967"},{"reference_url":"https://github.com/advisories/GHSA-fr88-w35c-r596","reference_id":"GHSA-fr88-w35c-r596","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fr88-w35c-r596"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596","reference_id":"GHSA-fr88-w35c-r596","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40655?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9"}],"aliases":["CVE-2026-30967","GHSA-fr88-w35c-r596"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wtbe-kc8y-77dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71277?format=json","vulnerability_id":"VCID-xrz4-1vpd-2qeg","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31872","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15709","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1557","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31872"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.32","reference_id":"8.6.32","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.32"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6","reference_id":"9.6.0-alpha.6","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31872","reference_id":"CVE-2026-31872","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31872"},{"reference_url":"https://github.com/advisories/GHSA-r2m8-pxm9-9c4g","reference_id":"GHSA-r2m8-pxm9-9c4g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2m8-pxm9-9c4g"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g","reference_id":"GHSA-r2m8-pxm9-9c4g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40691?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6"}],"aliases":["CVE-2026-31872","GHSA-r2m8-pxm9-9c4g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz4-1vpd-2qeg"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77845?format=json","vulnerability_id":"VCID-5bbt-8378-17d1","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33323","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16135","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16278","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33323"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33323","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33323"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10238","reference_id":"10238","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10238"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10243","reference_id":"10243","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10243"},{"reference_url":"https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5","reference_id":"967aa57732202009b2389ce9ecb3130d53d657e5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/"}],"url":"https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5"},{"reference_url":"https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3","reference_id":"fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/"}],"url":"https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3"},{"reference_url":"https://github.com/advisories/GHSA-h29g-q5c2-9h4f","reference_id":"GHSA-h29g-q5c2-9h4f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h29g-q5c2-9h4f"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f","reference_id":"GHSA-h29g-q5c2-9h4f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375177?format=json","purl":"pkg:npm/parse-server@8.6.51","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.51"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/375176?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.40","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40"}],"aliases":["CVE-2026-33323","GHSA-h29g-q5c2-9h4f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bbt-8378-17d1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78114?format=json","vulnerability_id":"VCID-e84c-36en-wqaa","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33429","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03023","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03036","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33429"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33429","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33429"},{"reference_url":"https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b","reference_id":"0c0a0a5a37ca821d2553119f2cb3be35322eda4b","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10253","reference_id":"10253","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10253"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10254","reference_id":"10254","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10254"},{"reference_url":"https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67","reference_id":"c62eacaf38de86913f09240583448360b1cc8e67","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67"},{"reference_url":"https://github.com/advisories/GHSA-qpc3-fg4j-8hgm","reference_id":"GHSA-qpc3-fg4j-8hgm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpc3-fg4j-8hgm"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm","reference_id":"GHSA-qpc3-fg4j-8hgm","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375232?format=json","purl":"pkg:npm/parse-server@8.6.54","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/375231?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.43","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43"}],"aliases":["CVE-2026-33429","GHSA-qpc3-fg4j-8hgm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78063?format=json","vulnerability_id":"VCID-g9b7-r5ry-mybm","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33409","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08549","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08511","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33409"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33409","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33409"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10246","reference_id":"10246","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10246"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10247","reference_id":"10247","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10247"},{"reference_url":"https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c","reference_id":"8d7df5639c4a35768fe8b78b4580b30e8a74721c","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/"}],"url":"https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c"},{"reference_url":"https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d","reference_id":"98f4ba5bcf2c199bfe6225f672e8edcd08ba732d","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/"}],"url":"https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d"},{"reference_url":"https://github.com/advisories/GHSA-pfj7-wv7c-22pr","reference_id":"GHSA-pfj7-wv7c-22pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfj7-wv7c-22pr"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr","reference_id":"GHSA-pfj7-wv7c-22pr","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374884?format=json","purl":"pkg:npm/parse-server@8.6.52","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.52"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/374883?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.41","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41"}],"aliases":["CVE-2026-33409","GHSA-pfj7-wv7c-22pr"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g9b7-r5ry-mybm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93362?format=json","vulnerability_id":"VCID-kgbm-tgkt-nyew","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68150","reference_id":"","reference_type":"","scores":[{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.24794","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00085","scoring_system":"epss","scoring_elements":"0.24597","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68150"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/pull/9988","reference_id":"9988","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/"}],"url":"https://github.com/parse-community/parse-server/pull/9988"},{"reference_url":"https://github.com/parse-community/parse-server/pull/9989","reference_id":"9989","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/"}],"url":"https://github.com/parse-community/parse-server/pull/9989"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68150","reference_id":"CVE-2025-68150","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68150"},{"reference_url":"https://github.com/advisories/GHSA-3f5f-xgrj-97pf","reference_id":"GHSA-3f5f-xgrj-97pf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f5f-xgrj-97pf"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf","reference_id":"GHSA-3f5f-xgrj-97pf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36256?format=json","purl":"pkg:npm/parse-server@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-9vdy-2u7g-w3cz"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gdee-x759-bbg9"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-j8xd-t1fd-hyba"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-ma3z-wh1c-v7c8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-sj7h-z87x-gfh3"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/36254?format=json","purl":"pkg:npm/parse-server@9.1.1-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-9vdy-2u7g-w3cz"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gdee-x759-bbg9"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-j8xd-t1fd-hyba"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-ma3z-wh1c-v7c8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-sj7h-z87x-gfh3"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.1.1-alpha.1"}],"aliases":["CVE-2025-68150","GHSA-3f5f-xgrj-97pf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kgbm-tgkt-nyew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78056?format=json","vulnerability_id":"VCID-n5mt-eebx-zbcf","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33421","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01781","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01786","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33421"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33421","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33421"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10250","reference_id":"10250","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10250"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10252","reference_id":"10252","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10252"},{"reference_url":"https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea","reference_id":"6c3317aca6eb618ac48f999021ae3ef7766ad1ea","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/"}],"url":"https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea"},{"reference_url":"https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee","reference_id":"976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/"}],"url":"https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee"},{"reference_url":"https://github.com/advisories/GHSA-fph2-r4qg-9576","reference_id":"GHSA-fph2-r4qg-9576","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fph2-r4qg-9576"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576","reference_id":"GHSA-fph2-r4qg-9576","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375280?format=json","purl":"pkg:npm/parse-server@8.6.53","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.53"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/375279?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42"}],"aliases":["CVE-2026-33421","GHSA-fph2-r4qg-9576"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mt-eebx-zbcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78186?format=json","vulnerability_id":"VCID-q59u-ywkn-wbfw","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33498","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06091","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06111","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33498"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33498","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33498"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10257","reference_id":"10257","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10257"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10258","reference_id":"10258","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10258"},{"reference_url":"https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5","reference_id":"2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/"}],"url":"https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5"},{"reference_url":"https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1","reference_id":"85994eff9e7b34cac7e1a2f5791985022a1461d1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/"}],"url":"https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1"},{"reference_url":"https://github.com/advisories/GHSA-9fjp-q3c4-6w3j","reference_id":"GHSA-9fjp-q3c4-6w3j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9fjp-q3c4-6w3j"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j","reference_id":"GHSA-9fjp-q3c4-6w3j","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375045?format=json","purl":"pkg:npm/parse-server@8.6.55","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.55"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/375044?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.44","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44"}],"aliases":["CVE-2026-33498","GHSA-9fjp-q3c4-6w3j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q59u-ywkn-wbfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77940?format=json","vulnerability_id":"VCID-tuts-aegs-r7e7","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33508","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20468","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20645","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33508"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33508","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33508"},{"reference_url":"https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899","reference_id":"060d27053fb0fadf613c25aabab7fe0c82b7a899","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/"}],"url":"https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10259","reference_id":"10259","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10259"},{"reference_url":"https://github.com/parse-community/parse-server/pull/10260","reference_id":"10260","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/"}],"url":"https://github.com/parse-community/parse-server/pull/10260"},{"reference_url":"https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b","reference_id":"2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/"}],"url":"https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b"},{"reference_url":"https://github.com/advisories/GHSA-6qh5-m6g3-xhq6","reference_id":"GHSA-6qh5-m6g3-xhq6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qh5-m6g3-xhq6"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6","reference_id":"GHSA-6qh5-m6g3-xhq6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374763?format=json","purl":"pkg:npm/parse-server@8.6.56","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.56"},{"url":"http://public2.vulnerablecode.io/api/packages/40396?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-u6cq-nd7b-vucm"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/374762?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45"}],"aliases":["CVE-2026-33508","GHSA-6qh5-m6g3-xhq6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tuts-aegs-r7e7"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1"}