Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/40422?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/40422?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.1", "type": "npm", "namespace": "", "name": "parse-server", "version": "9.5.1-alpha.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.9.0-alpha.2", "latest_non_vulnerable_version": "9.9.1-alpha.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77421?format=api", "vulnerability_id": "VCID-13fb-z2vs-83hu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it is not needed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13298", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10197", "reference_id": "10197", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10197" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10199", "reference_id": "10199", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10199" }, { "reference_url": "https://github.com/advisories/GHSA-827p-g5x5-h86c", "reference_id": "GHSA-827p-g5x5-h86c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-827p-g5x5-h86c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c", "reference_id": "GHSA-827p-g5x5-h86c", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375006?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.19" } ], "aliases": [ "CVE-2026-32770", "GHSA-827p-g5x5-h86c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-13fb-z2vs-83hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72869?format=api", "vulnerability_id": "VCID-14fp-bjdd-uffh", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08572", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10406", "reference_id": "10406", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10406" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10407", "reference_id": "10407", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10407" }, { "reference_url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "GHSA-g4v2-qx3q-4p64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "GHSA-g4v2-qx3q-4p64", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374062?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.7" } ], "aliases": [ "CVE-2026-39381", "GHSA-g4v2-qx3q-4p64" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-14fp-bjdd-uffh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76981?format=api", "vulnerability_id": "VCID-1y9a-gb1j-ufdu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09618", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10210", "reference_id": "10210", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10210" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10211", "reference_id": "10211", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10211" }, { "reference_url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "GHSA-4263-jgmp-7pf4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "GHSA-4263-jgmp-7pf4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374929?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.24" } ], "aliases": [ "CVE-2026-32886", "GHSA-4263-jgmp-7pf4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1y9a-gb1j-ufdu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66465?format=api", "vulnerability_id": "VCID-22pk-5s6t-ufaw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30946", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06558", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30946" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.15", "reference_id": "8.6.15", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.15" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2", "reference_id": "9.5.2-alpha.2", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30946", "reference_id": "CVE-2026-30946", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30946" }, { "reference_url": "https://github.com/advisories/GHSA-cmj3-wx7h-ffvg", "reference_id": "GHSA-cmj3-wx7h-ffvg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cmj3-wx7h-ffvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg", "reference_id": "GHSA-cmj3-wx7h-ffvg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40637?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.2" } ], "aliases": [ "CVE-2026-30946", "GHSA-cmj3-wx7h-ffvg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-22pk-5s6t-ufaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71253?format=api", "vulnerability_id": "VCID-262h-v1yd-tfc9", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13311", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29", "reference_id": "8.6.29", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3", "reference_id": "9.6.0-alpha.3", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856", "reference_id": "CVE-2026-31856", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856" }, { "reference_url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40678?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3" } ], "aliases": [ "CVE-2026-31856", "GHSA-q3vj-96h2-gwvg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-262h-v1yd-tfc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76864?format=api", "vulnerability_id": "VCID-2fzy-ajnc-fbf9", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24757", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10189", "reference_id": "10189", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10189" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10190", "reference_id": "10190", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10190" }, { "reference_url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "GHSA-p2x3-8689-cwpg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "GHSA-p2x3-8689-cwpg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374603?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.14" } ], "aliases": [ "CVE-2026-32594", "GHSA-p2x3-8689-cwpg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2fzy-ajnc-fbf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71248?format=api", "vulnerability_id": "VCID-2qbc-paq8-2fgn", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22112", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "reference_id": "8.6.28", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "reference_id": "9.6.0-alpha.2", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840", "reference_id": "CVE-2026-31840", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840" }, { "reference_url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40472?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.2" } ], "aliases": [ "CVE-2026-31840", "GHSA-qpr4-jrj4-6f27" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2qbc-paq8-2fgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78310?format=api", "vulnerability_id": "VCID-2rxm-qxur-9ygu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09911", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10275", "reference_id": "10275", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10275" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10276", "reference_id": "10276", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10276" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_id": "5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_id": "fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c" }, { "reference_url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375144?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54" } ], "aliases": [ "CVE-2026-33624", "GHSA-2299-ghjr-6vjp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2rxm-qxur-9ygu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66602?format=api", "vulnerability_id": "VCID-2syy-yyte-nug4", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25196", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21", "reference_id": "8.6.21", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8", "reference_id": "9.5.2-alpha.8", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965", "reference_id": "CVE-2026-30965", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965" }, { "reference_url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40651?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8" } ], "aliases": [ "CVE-2026-30965", "GHSA-6r2j-cxgf-495f" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2syy-yyte-nug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66389?format=api", "vulnerability_id": "VCID-2t98-yfws-zfgn", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30947", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0534", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30947" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16", "reference_id": "8.6.16", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3", "reference_id": "9.5.2-alpha.3", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30947", "reference_id": "CVE-2026-30947", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30947" }, { "reference_url": "https://github.com/advisories/GHSA-7ch5-98q2-7289", "reference_id": "GHSA-7ch5-98q2-7289", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7ch5-98q2-7289" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289", "reference_id": "GHSA-7ch5-98q2-7289", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40639?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.3" } ], "aliases": [ "CVE-2026-30947", "GHSA-7ch5-98q2-7289" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2t98-yfws-zfgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66328?format=api", "vulnerability_id": "VCID-383v-s4c7-6bfu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39663", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13", "reference_id": "8.6.13", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2", "reference_id": "9.5.1-alpha.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939", "reference_id": "CVE-2026-30939", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939" }, { "reference_url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40426?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2" } ], "aliases": [ "CVE-2026-30939", "GHSA-5j86-7r7m-p8h6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-383v-s4c7-6bfu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75115?format=api", "vulnerability_id": "VCID-49m3-j488-yqes", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06235", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263", "reference_id": "0347641507891d0013ec57f7c10f012064f41263", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10334", "reference_id": "10334", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10334" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10335", "reference_id": "10335", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10335" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_id": "4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203" }, { "reference_url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374640?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10" } ], "aliases": [ "CVE-2026-34373", "GHSA-q3p6-g7c4-829c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-49m3-j488-yqes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77770?format=api", "vulnerability_id": "VCID-53r7-9knw-u7bd", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. The fix in 9.6.0-alpha.29 and 8.6.49 ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. As a workaround, use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01989", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10219", "reference_id": "10219", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10219" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10220", "reference_id": "10220", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10220" }, { "reference_url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "GHSA-wjqw-r9x4-j59v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "GHSA-wjqw-r9x4-j59v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374945?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.29" } ], "aliases": [ "CVE-2026-33042", "GHSA-wjqw-r9x4-j59v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-53r7-9knw-u7bd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77845?format=api", "vulnerability_id": "VCID-5bbt-8378-17d1", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16135", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10238", "reference_id": "10238", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10238" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10243", "reference_id": "10243", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10243" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5", "reference_id": "967aa57732202009b2389ce9ecb3130d53d657e5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3", "reference_id": "fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3" }, { "reference_url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "GHSA-h29g-q5c2-9h4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "GHSA-h29g-q5c2-9h4f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375176?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40" } ], "aliases": [ "CVE-2026-33323", "GHSA-h29g-q5c2-9h4f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5bbt-8378-17d1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75119?format=api", "vulnerability_id": "VCID-7jbf-hw56-9bcx", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04677", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10326", "reference_id": "10326", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10326" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10327", "reference_id": "10327", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10327" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "reference_id": "661f160edac8daac0486bc94413cf9652876ab92", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_id": "e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf" }, { "reference_url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374817?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8" } ], "aliases": [ "CVE-2026-34224", "GHSA-w73w-g5xw-rwhf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbf-hw56-9bcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77036?format=api", "vulnerability_id": "VCID-bpp2-r2wr-vkf6", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05656", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10202", "reference_id": "10202", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10202" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10203", "reference_id": "10203", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10203" }, { "reference_url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "GHSA-9xp9-j92r-p88v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "GHSA-9xp9-j92r-p88v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374629?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.21" } ], "aliases": [ "CVE-2026-32944", "GHSA-9xp9-j92r-p88v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bpp2-r2wr-vkf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66529?format=api", "vulnerability_id": "VCID-brgs-d2uu-a7bt", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06091", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30948" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.17", "reference_id": "8.6.17", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.17" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.4", "reference_id": "9.5.2-alpha.4", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30948", "reference_id": "CVE-2026-30948", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30948" }, { "reference_url": "https://github.com/advisories/GHSA-hcj7-6gxh-24ww", "reference_id": "GHSA-hcj7-6gxh-24ww", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hcj7-6gxh-24ww" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww", "reference_id": "GHSA-hcj7-6gxh-24ww", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40642?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.4" } ], "aliases": [ "CVE-2026-30948", "GHSA-hcj7-6gxh-24ww" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-brgs-d2uu-a7bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77634?format=api", "vulnerability_id": "VCID-ca2c-skt8-mqau", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Starting in versions 9.6.0-alpha.28 and 8.6.48, the password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. There is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01645", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10216", "reference_id": "10216", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10216" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10217", "reference_id": "10217", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10217" }, { "reference_url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "GHSA-r3xq-68wh-gwvh", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "GHSA-r3xq-68wh-gwvh", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375133?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.28" } ], "aliases": [ "CVE-2026-32943", "GHSA-r3xq-68wh-gwvh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ca2c-skt8-mqau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66514?format=api", "vulnerability_id": "VCID-caj3-ujpk-hba5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.1949", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "reference_id": "8.6.23", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "reference_id": "9.5.2-alpha.10", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972", "reference_id": "CVE-2026-30972", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972" }, { "reference_url": "https://github.com/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-775h-3xrc-c228" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40658?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10" } ], "aliases": [ "CVE-2026-30972", "GHSA-775h-3xrc-c228" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-caj3-ujpk-hba5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74997?format=api", "vulnerability_id": "VCID-cbrh-vg1p-3ua7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1263", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10350", "reference_id": "10350", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10350" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10351", "reference_id": "10351", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10351" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_id": "f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_id": "ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2" }, { "reference_url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373555?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16" } ], "aliases": [ "CVE-2026-34595", "GHSA-mmg8-87c5-jrc2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbrh-vg1p-3ua7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65541?format=api", "vulnerability_id": "VCID-dhkw-d15h-rkb5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01108", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10448", "reference_id": "10448", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10448" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10449", "reference_id": "10449", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10449" }, { "reference_url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375441?format=api", "purl": "pkg:npm/parse-server@9.9.0-alpha.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2" } ], "aliases": [ "CVE-2026-43930", "GHSA-jpq4-7fmq-q5fj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dhkw-d15h-rkb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66385?format=api", "vulnerability_id": "VCID-dmkx-64cw-67ae", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. This vulnerability is fixed in 8.6.14 and 9.5.2-alpha.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18746", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30941" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.14", "reference_id": "8.6.14", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.14" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1", "reference_id": "9.5.2-alpha.1", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30941", "reference_id": "CVE-2026-30941", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30941" }, { "reference_url": "https://github.com/advisories/GHSA-vgjh-hmwf-c588", "reference_id": "GHSA-vgjh-hmwf-c588", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjh-hmwf-c588" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588", "reference_id": "GHSA-vgjh-hmwf-c588", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40634?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.1" } ], "aliases": [ "CVE-2026-30941", "GHSA-vgjh-hmwf-c588" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkx-64cw-67ae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73029?format=api", "vulnerability_id": "VCID-dyd6-6yy1-hyhn", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09019", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10398", "reference_id": "10398", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10398" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10399", "reference_id": "10399", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10399" }, { "reference_url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373413?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6" } ], "aliases": [ "CVE-2026-39321", "GHSA-mmpq-5hcv-hf2v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dyd6-6yy1-hyhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76907?format=api", "vulnerability_id": "VCID-e7pg-sdu5-mkhh", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist. This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage. The fix in versions 9.6.0-alpha.15 and 8.6.41 strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers. Note that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future. As a workaround, configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0282", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10191", "reference_id": "10191", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10191" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10192", "reference_id": "10192", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10192" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d", "reference_id": "4f53ab3cad5502a51a509d53f999e00ff7217b8d", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8", "reference_id": "c7599c577a02b97eb5e76d4e20517b0283ae73c8", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8" }, { "reference_url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "GHSA-42ph-pf9q-cr72", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "GHSA-42ph-pf9q-cr72", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375286?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.15" } ], "aliases": [ "CVE-2026-32728", "GHSA-42ph-pf9q-cr72" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e7pg-sdu5-mkhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78114?format=api", "vulnerability_id": "VCID-e84c-36en-wqaa", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03023", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_id": "0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10253", "reference_id": "10253", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10253" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10254", "reference_id": "10254", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10254" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67", "reference_id": "c62eacaf38de86913f09240583448360b1cc8e67", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67" }, { "reference_url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375231?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43" } ], "aliases": [ "CVE-2026-33429", "GHSA-qpc3-fg4j-8hgm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e84c-36en-wqaa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77450?format=api", "vulnerability_id": "VCID-ee1t-31wz-ufbw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. This vulnerability is fixed in 9.6.0-alpha.10 and 8.6.36.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1369", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36", "reference_id": "8.6.36", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10", "reference_id": "9.6.0-alpha.10", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10" }, { "reference_url": "https://github.com/advisories/GHSA-c442-97qw-j6c6", "reference_id": "GHSA-c442-97qw-j6c6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c442-97qw-j6c6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6", "reference_id": "GHSA-c442-97qw-j6c6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374913?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.10" } ], "aliases": [ "CVE-2026-32234", "GHSA-c442-97qw-j6c6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ee1t-31wz-ufbw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78237?format=api", "vulnerability_id": "VCID-evdb-d9ew-pbfq", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix in versions 9.6.0-alpha.35 and 8.6.50 ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. As a workaround, remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11572", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10232", "reference_id": "10232", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10232" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10233", "reference_id": "10233", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10233" }, { "reference_url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "GHSA-5hmj-jcgp-6hff", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "GHSA-5hmj-jcgp-6hff", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375264?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.35" } ], "aliases": [ "CVE-2026-33163", "GHSA-5hmj-jcgp-6hff" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-evdb-d9ew-pbfq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71310?format=api", "vulnerability_id": "VCID-fdqv-3n6r-2fgb", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20019", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30", "reference_id": "8.6.30", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4", "reference_id": "9.6.0-alpha.4", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868", "reference_id": "CVE-2026-31868", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868" }, { "reference_url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40686?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4" } ], "aliases": [ "CVE-2026-31868", "GHSA-v5hf-f4c3-m5rv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqv-3n6r-2fgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78063?format=api", "vulnerability_id": "VCID-g9b7-r5ry-mybm", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08511", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10246", "reference_id": "10246", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10246" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10247", "reference_id": "10247", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10247" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c", "reference_id": "8d7df5639c4a35768fe8b78b4580b30e8a74721c", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d", "reference_id": "98f4ba5bcf2c199bfe6225f672e8edcd08ba732d", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d" }, { "reference_url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "GHSA-pfj7-wv7c-22pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "GHSA-pfj7-wv7c-22pr", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374883?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41" } ], "aliases": [ "CVE-2026-33409", "GHSA-pfj7-wv7c-22pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9b7-r5ry-mybm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71319?format=api", "vulnerability_id": "VCID-gjus-pwzw-qufs", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37245", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26", "reference_id": "8.6.26", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13", "reference_id": "9.5.2-alpha.13", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828", "reference_id": "CVE-2026-31828", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828" }, { "reference_url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40664?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13" } ], "aliases": [ "CVE-2026-31828", "GHSA-7m6r-fhh7-r47c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gjus-pwzw-qufs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75142?format=api", "vulnerability_id": "VCID-gngn-8vy6-bkg7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24728", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10323", "reference_id": "10323", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10323" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10324", "reference_id": "10324", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10324" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "reference_id": "770be8647424d92f5425c41fa81065ffbbb171ed", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_id": "a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c" }, { "reference_url": "https://github.com/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wp76-gg32-8258" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374846?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7" } ], "aliases": [ "CVE-2026-34215", "GHSA-wp76-gg32-8258" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gngn-8vy6-bkg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77567?format=api", "vulnerability_id": "VCID-hbms-u2mt-jyhn", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. Starting in version 9.6.0-alpha.17 and 8.6.42, the session creation endpoint filters out server-generated fields from user-supplied data, preventing them from being overwritten. As a workaround, add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05969", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10195", "reference_id": "10195", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10195" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10196", "reference_id": "10196", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10196" }, { "reference_url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "GHSA-5v7g-9h8f-8pgg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "GHSA-5v7g-9h8f-8pgg", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375261?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.17" } ], "aliases": [ "CVE-2026-32742", "GHSA-5v7g-9h8f-8pgg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hbms-u2mt-jyhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77519?format=api", "vulnerability_id": "VCID-hh7p-ae88-z3fs", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16495", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35", "reference_id": "8.6.35", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9", "reference_id": "9.6.0-alpha.9", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9" }, { "reference_url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374730?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.9" } ], "aliases": [ "CVE-2026-32098", "GHSA-j7mm-f4rv-6q6q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh7p-ae88-z3fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75150?format=api", "vulnerability_id": "VCID-hs5q-jk5r-7ya8", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0685", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10330", "reference_id": "10330", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10330" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10331", "reference_id": "10331", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10331" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b", "reference_id": "5834e29234593addaa0251a85f572ad4f376320b", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055", "reference_id": "776c71c3078e77d38c94937f463741793609d055", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055" }, { "reference_url": "https://github.com/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m983-v2ff-wq65" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374704?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9" } ], "aliases": [ "CVE-2026-34363", "GHSA-m983-v2ff-wq65" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5q-jk5r-7ya8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76973?format=api", "vulnerability_id": "VCID-j3ba-adds-muay", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. No known workarounds are available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03622", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10200", "reference_id": "10200", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10200" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10201", "reference_id": "10201", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10201" }, { "reference_url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "GHSA-9ccr-fpp6-78qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "GHSA-9ccr-fpp6-78qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374739?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.20" } ], "aliases": [ "CVE-2026-32878", "GHSA-9ccr-fpp6-78qf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j3ba-adds-muay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77589?format=api", "vulnerability_id": "VCID-j6sw-ak9p-nyhc", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in 9.6.0-alpha.13 and 8.6.39.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32269", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0478", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32269" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39", "reference_id": "8.6.39", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13", "reference_id": "9.6.0-alpha.13", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13" }, { "reference_url": "https://github.com/advisories/GHSA-69xg-f649-w5g2", "reference_id": "GHSA-69xg-f649-w5g2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-69xg-f649-w5g2" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2", "reference_id": "GHSA-69xg-f649-w5g2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375170?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.13" } ], "aliases": [ "CVE-2026-32269", "GHSA-69xg-f649-w5g2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6sw-ak9p-nyhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71291?format=api", "vulnerability_id": "VCID-jh6w-1y2k-27de", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.2815", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "reference_id": "8.6.25", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "reference_id": "9.5.2-alpha.12", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800", "reference_id": "CVE-2026-31800", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800" }, { "reference_url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40661?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12" } ], "aliases": [ "CVE-2026-31800", "GHSA-7xg7-rqf6-pw6c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6w-1y2k-27de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78078?format=api", "vulnerability_id": "VCID-mdgb-p4u1-uud5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02576", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10263", "reference_id": "10263", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10264", "reference_id": "10264", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10264" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_id": "26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_id": "ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984" }, { "reference_url": "https://github.com/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc39-686j-wp6q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374687?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48" } ], "aliases": [ "CVE-2026-33527", "GHSA-jc39-686j-wp6q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mdgb-p4u1-uud5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74879?format=api", "vulnerability_id": "VCID-mm7p-maf1-eyhq", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1263", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10347", "reference_id": "10347", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10347" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10348", "reference_id": "10348", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10348" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_id": "90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "reference_id": "ebccd7fe2708007e62f705ee1c820a6766178777", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777" }, { "reference_url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373425?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14" } ], "aliases": [ "CVE-2026-34574", "GHSA-f6j3-w9v3-cq22" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7p-maf1-eyhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77818?format=api", "vulnerability_id": "VCID-mxgt-92ep-73fj", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34156", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10270", "reference_id": "10270", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10270" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10271", "reference_id": "10271", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10271" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357", "reference_id": "40eb442e02672986730007d0a1edb22c1c4bd357", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_id": "fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54" }, { "reference_url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374906?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52" } ], "aliases": [ "CVE-2026-33538", "GHSA-g4cf-xj29-wqqr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mxgt-92ep-73fj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74749?format=api", "vulnerability_id": "VCID-n4s7-6vvk-skfz", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05341", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10344", "reference_id": "10344", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10344" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10345", "reference_id": "10345", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10345" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295", "reference_id": "ea15412795f34594cc8a674fe858d445675e0295", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b", "reference_id": "f759bda075298ec44e2b4fb57659a0c56620483b", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b" }, { "reference_url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374809?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12" } ], "aliases": [ "CVE-2026-34573", "GHSA-mfj6-6p54-m98c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4s7-6vvk-skfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78056?format=api", "vulnerability_id": "VCID-n5mt-eebx-zbcf", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.6.53 and 9.6.0-alpha.42.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01781", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10250", "reference_id": "10250", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10250" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10252", "reference_id": "10252", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10252" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea", "reference_id": "6c3317aca6eb618ac48f999021ae3ef7766ad1ea", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee", "reference_id": "976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee" }, { "reference_url": "https://github.com/advisories/GHSA-fph2-r4qg-9576", "reference_id": "GHSA-fph2-r4qg-9576", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fph2-r4qg-9576" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576", "reference_id": "GHSA-fph2-r4qg-9576", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375279?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42" } ], "aliases": [ "CVE-2026-33421", "GHSA-fph2-r4qg-9576" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mt-eebx-zbcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78070?format=api", "vulnerability_id": "VCID-nqev-h9w8-pudy", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12016", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "10278", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "10279", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374931?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.55", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55" } ], "aliases": [ "CVE-2026-33627", "GHSA-37mj-c2wf-cx96" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqev-h9w8-pudy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71781?format=api", "vulnerability_id": "VCID-nt51-v9gk-w3e8", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09965", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10383", "reference_id": "10383", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10383" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10384", "reference_id": "10384", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10384" }, { "reference_url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374116?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4" } ], "aliases": [ "CVE-2026-35200", "GHSA-vr5f-2r24-w5hc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nt51-v9gk-w3e8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66452?format=api", "vulnerability_id": "VCID-pkkz-wwqa-1ufw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20132", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20", "reference_id": "8.6.20", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7", "reference_id": "9.5.2-alpha.7", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966", "reference_id": "CVE-2026-30966", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966" }, { "reference_url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40654?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7" } ], "aliases": [ "CVE-2026-30966", "GHSA-5f92-jrq3-28rc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pkkz-wwqa-1ufw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78186?format=api", "vulnerability_id": "VCID-q59u-ywkn-wbfw", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06091", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10257", "reference_id": "10257", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10257" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10258", "reference_id": "10258", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10258" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5", "reference_id": "2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1", "reference_id": "85994eff9e7b34cac7e1a2f5791985022a1461d1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1" }, { "reference_url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "GHSA-9fjp-q3c4-6w3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "GHSA-9fjp-q3c4-6w3j", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375044?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44" } ], "aliases": [ "CVE-2026-33498", "GHSA-9fjp-q3c4-6w3j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q59u-ywkn-wbfw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71476?format=api", "vulnerability_id": "VCID-qybe-rg1s-6kau", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13311", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31", "reference_id": "8.6.31", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5", "reference_id": "9.6.0-alpha.5", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871", "reference_id": "CVE-2026-31871", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871" }, { "reference_url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40689?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5" } ], "aliases": [ "CVE-2026-31871", "GHSA-gqpp-xgvh-9h7h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qybe-rg1s-6kau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71429?format=api", "vulnerability_id": "VCID-rr98-m4bd-dqhf", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14077", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34", "reference_id": "8.6.34", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8", "reference_id": "9.6.0-alpha.8", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901", "reference_id": "CVE-2026-31901", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901" }, { "reference_url": "https://github.com/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w54v-hf9p-8856" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40694?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8" } ], "aliases": [ "CVE-2026-31901", "GHSA-w54v-hf9p-8856" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rr98-m4bd-dqhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77239?format=api", "vulnerability_id": "VCID-s2mj-yppn-ckaa", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. This vulnerability is fixed in 9.6.0-alpha.12 and 8.6.38.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27288", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38", "reference_id": "8.6.38", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12", "reference_id": "9.6.0-alpha.12", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12" }, { "reference_url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374608?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.12" } ], "aliases": [ "CVE-2026-32248", "GHSA-5fw2-8jcv-xh87" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s2mj-yppn-ckaa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66367?format=api", "vulnerability_id": "VCID-smga-c628-mucb", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9.5.2-alpha.5 and 8.6.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14706", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30949" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18", "reference_id": "8.6.18", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5", "reference_id": "9.5.2-alpha.5", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30949", "reference_id": "CVE-2026-30949", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30949" }, { "reference_url": "https://github.com/advisories/GHSA-48mh-j4p5-7j9v", "reference_id": "GHSA-48mh-j4p5-7j9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48mh-j4p5-7j9v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v", "reference_id": "GHSA-48mh-j4p5-7j9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40643?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.5" } ], "aliases": [ "CVE-2026-30949", "GHSA-48mh-j4p5-7j9v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smga-c628-mucb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77940?format=api", "vulnerability_id": "VCID-tuts-aegs-r7e7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20468", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899", "reference_id": "060d27053fb0fadf613c25aabab7fe0c82b7a899", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10259", "reference_id": "10259", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10259" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10260", "reference_id": "10260", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10260" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b", "reference_id": "2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b" }, { "reference_url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "GHSA-6qh5-m6g3-xhq6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "GHSA-6qh5-m6g3-xhq6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374762?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45" } ], "aliases": [ "CVE-2026-33508", "GHSA-6qh5-m6g3-xhq6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tuts-aegs-r7e7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75005?format=api", "vulnerability_id": "VCID-vmwk-3myb-u7ds", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03955", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "reference_id": "053109b3ee71815bc39ed84116c108ff9edbf337", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10361", "reference_id": "10361", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10361" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10362", "reference_id": "10362", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10362" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_id": "a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22" }, { "reference_url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374143?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1" } ], "aliases": [ "CVE-2026-34784", "GHSA-hpm8-9qx6-jvwv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vmwk-3myb-u7ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71323?format=api", "vulnerability_id": "VCID-w175-44z9-c3h5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33687", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33", "reference_id": "8.6.33", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7", "reference_id": "9.6.0-alpha.7", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875", "reference_id": "CVE-2026-31875", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875" }, { "reference_url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40692?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7" } ], "aliases": [ "CVE-2026-31875", "GHSA-4hf6-3x24-c9m8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w175-44z9-c3h5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78118?format=api", "vulnerability_id": "VCID-wqxc-qnu8-q7d7", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07139", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_id": "03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10272", "reference_id": "10272", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10272" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10273", "reference_id": "10273", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10273" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_id": "bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e" }, { "reference_url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374807?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.53", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53" } ], "aliases": [ "CVE-2026-33539", "GHSA-p2w6-rmh7-w8q3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wqxc-qnu8-q7d7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66569?format=api", "vulnerability_id": "VCID-wtbe-kc8y-77dk", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.3166", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22", "reference_id": "8.6.22", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9", "reference_id": "9.5.2-alpha.9", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967", "reference_id": "CVE-2026-30967", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967" }, { "reference_url": "https://github.com/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fr88-w35c-r596" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40655?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9" } ], "aliases": [ "CVE-2026-30967", "GHSA-fr88-w35c-r596" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wtbe-kc8y-77dk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71277?format=api", "vulnerability_id": "VCID-xrz4-1vpd-2qeg", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.1557", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32", "reference_id": "8.6.32", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6", "reference_id": "9.6.0-alpha.6", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872", "reference_id": "CVE-2026-31872", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872" }, { "reference_url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40691?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6" } ], "aliases": [ "CVE-2026-31872", "GHSA-r2m8-pxm9-9c4g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz4-1vpd-2qeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66455?format=api", "vulnerability_id": "VCID-yup6-6p9f-n7bu", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30962", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14588", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30962" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.19", "reference_id": "8.6.19", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.19" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.6", "reference_id": "9.5.2-alpha.6", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30962", "reference_id": "CVE-2026-30962", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30962" }, { "reference_url": "https://github.com/advisories/GHSA-72hp-qff8-4pvv", "reference_id": "GHSA-72hp-qff8-4pvv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72hp-qff8-4pvv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qff8-4pvv", "reference_id": "GHSA-72hp-qff8-4pvv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qff8-4pvv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40650?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.6" } ], "aliases": [ "CVE-2026-30962", "GHSA-72hp-qff8-4pvv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yup6-6p9f-n7bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76916?format=api", "vulnerability_id": "VCID-zrvb-y7f6-ykby", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.6.37.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20588", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37", "reference_id": "8.6.37", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11", "reference_id": "9.6.0-alpha.11", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11" }, { "reference_url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374719?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.11" } ], "aliases": [ "CVE-2026-32242", "GHSA-2cjm-2gwv-m892" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zrvb-y7f6-ykby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75237?format=api", "vulnerability_id": "VCID-zx4t-zth8-7fe5", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending \"prototype.constructor\" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13654", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10342", "reference_id": "10342", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10342" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10343", "reference_id": "10343", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10343" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7", "reference_id": "4fc48cf28f22eea200d74d883505f485234a48d7", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_id": "dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674" }, { "reference_url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374867?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11" } ], "aliases": [ "CVE-2026-34532", "GHSA-vpj2-qq7w-5qq6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zx4t-zth8-7fe5" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66471?format=api", "vulnerability_id": "VCID-8cct-wkqq-nqdm", "summary": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2095", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12", "reference_id": "8.6.12", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1", "reference_id": "9.5.1-alpha.1", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938", "reference_id": "CVE-2026-30938", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938" }, { "reference_url": "https://github.com/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q342-9w2p-57fp" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40423?format=api", "purl": "pkg:npm/parse-server@8.6.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/40422?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13fb-z2vs-83hu" }, { "vulnerability": "VCID-14fp-bjdd-uffh" }, { "vulnerability": "VCID-1y9a-gb1j-ufdu" }, { "vulnerability": "VCID-22pk-5s6t-ufaw" }, { "vulnerability": "VCID-262h-v1yd-tfc9" }, { "vulnerability": "VCID-2fzy-ajnc-fbf9" }, { "vulnerability": "VCID-2qbc-paq8-2fgn" }, { "vulnerability": "VCID-2rxm-qxur-9ygu" }, { "vulnerability": "VCID-2syy-yyte-nug4" }, { "vulnerability": "VCID-2t98-yfws-zfgn" }, { "vulnerability": "VCID-383v-s4c7-6bfu" }, { "vulnerability": "VCID-49m3-j488-yqes" }, { "vulnerability": "VCID-53r7-9knw-u7bd" }, { "vulnerability": "VCID-5bbt-8378-17d1" }, { "vulnerability": "VCID-7jbf-hw56-9bcx" }, { "vulnerability": "VCID-bpp2-r2wr-vkf6" }, { "vulnerability": "VCID-brgs-d2uu-a7bt" }, { "vulnerability": "VCID-ca2c-skt8-mqau" }, { "vulnerability": "VCID-caj3-ujpk-hba5" }, { "vulnerability": "VCID-cbrh-vg1p-3ua7" }, { "vulnerability": "VCID-dhkw-d15h-rkb5" }, { "vulnerability": "VCID-dmkx-64cw-67ae" }, { "vulnerability": "VCID-dyd6-6yy1-hyhn" }, { "vulnerability": "VCID-e7pg-sdu5-mkhh" }, { "vulnerability": "VCID-e84c-36en-wqaa" }, { "vulnerability": "VCID-ee1t-31wz-ufbw" }, { "vulnerability": "VCID-evdb-d9ew-pbfq" }, { "vulnerability": "VCID-fdqv-3n6r-2fgb" }, { "vulnerability": "VCID-g9b7-r5ry-mybm" }, { "vulnerability": "VCID-gjus-pwzw-qufs" }, { "vulnerability": "VCID-gngn-8vy6-bkg7" }, { "vulnerability": "VCID-hbms-u2mt-jyhn" }, { "vulnerability": "VCID-hh7p-ae88-z3fs" }, { "vulnerability": "VCID-hs5q-jk5r-7ya8" }, { "vulnerability": "VCID-j3ba-adds-muay" }, { "vulnerability": "VCID-j6sw-ak9p-nyhc" }, { "vulnerability": "VCID-jh6w-1y2k-27de" }, { "vulnerability": "VCID-mdgb-p4u1-uud5" }, { "vulnerability": "VCID-mm7p-maf1-eyhq" }, { "vulnerability": "VCID-mxgt-92ep-73fj" }, { "vulnerability": "VCID-n4s7-6vvk-skfz" }, { "vulnerability": "VCID-n5mt-eebx-zbcf" }, { "vulnerability": "VCID-nqev-h9w8-pudy" }, { "vulnerability": "VCID-nt51-v9gk-w3e8" }, { "vulnerability": "VCID-pkkz-wwqa-1ufw" }, { "vulnerability": "VCID-q59u-ywkn-wbfw" }, { "vulnerability": "VCID-qybe-rg1s-6kau" }, { "vulnerability": "VCID-rr98-m4bd-dqhf" }, { "vulnerability": "VCID-s2mj-yppn-ckaa" }, { "vulnerability": "VCID-smga-c628-mucb" }, { "vulnerability": "VCID-tuts-aegs-r7e7" }, { "vulnerability": "VCID-vmwk-3myb-u7ds" }, { "vulnerability": "VCID-w175-44z9-c3h5" }, { "vulnerability": "VCID-wqxc-qnu8-q7d7" }, { "vulnerability": "VCID-wtbe-kc8y-77dk" }, { "vulnerability": "VCID-xrz4-1vpd-2qeg" }, { "vulnerability": "VCID-yup6-6p9f-n7bu" }, { "vulnerability": "VCID-zrvb-y7f6-ykby" }, { "vulnerability": "VCID-zx4t-zth8-7fe5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1" } ], "aliases": [ "CVE-2026-30938", "GHSA-q342-9w2p-57fp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8cct-wkqq-nqdm" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1" }