Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/618914?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/618914?format=api", "purl": "pkg:npm/parse-server@5.3.0-alpha.16", "type": "npm", "namespace": "", "name": "parse-server", "version": "5.3.0-alpha.16", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.6.76", "latest_non_vulnerable_version": "9.9.1-alpha.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50835?format=api", "vulnerability_id": "VCID-1j65-rdzh-6bc3", "summary": "Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL\nA SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs.\n\nOnly Postgres deployments are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13198", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13276", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13317", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13313", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871", "reference_id": "CVE-2026-31871", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871" }, { "reference_url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74709?format=api", "purl": "pkg:npm/parse-server@8.6.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/74708?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5" } ], "aliases": [ "CVE-2026-31871", "GHSA-gqpp-xgvh-9h7h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1j65-rdzh-6bc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45942?format=api", "vulnerability_id": "VCID-2h23-n9we-rbdj", "summary": "Always-Incorrect Control Flow Implementation\nParse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41058", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50474", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50462", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50444", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50494", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50487", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41058" }, { "reference_url": "https://docs.parseplatform.org/parse-server/guide/#security", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-30T17:43:38Z/" } ], "url": "https://docs.parseplatform.org/parse-server/guide/#security" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-30T17:43:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-30T17:43:38Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.5" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-30T17:43:38Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41058", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41058" }, { "reference_url": "https://github.com/advisories/GHSA-fcv6-fg5r-jm9q", "reference_id": "GHSA-fcv6-fg5r-jm9q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fcv6-fg5r-jm9q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q", "reference_id": "GHSA-fcv6-fg5r-jm9q", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-30T17:43:38Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66762?format=api", "purl": "pkg:npm/parse-server@5.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/660261?format=api", "purl": "pkg:npm/parse-server@6.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66763?format=api", "purl": "pkg:npm/parse-server@6.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/660266?format=api", "purl": "pkg:npm/parse-server@6.3.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.3.0-alpha.1" } ], "aliases": [ "CVE-2023-41058", "GHSA-fcv6-fg5r-jm9q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2h23-n9we-rbdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50871?format=api", "vulnerability_id": "VCID-3pbu-nwcc-hydn", "summary": "Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types\nAn attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server `fileUpload.fileExtensions` option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users.\n\nAffected file extensions and content types include `.svgz`, `.xht`, `.xml`, `.xsl`, `.xslt`, and content types `application/xhtml+xml` and `application/xslt+xml` for extensionless uploads. Uploading of `.html`, `.htm`, `.shtml`, `.xhtml`, and `.svg` files was already blocked.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19928", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19994", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20032", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20038", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868", "reference_id": "CVE-2026-31868", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868" }, { "reference_url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74828?format=api", "purl": "pkg:npm/parse-server@8.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/74827?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4" } ], "aliases": [ "CVE-2026-31868", "GHSA-v5hf-f4c3-m5rv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3pbu-nwcc-hydn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50824?format=api", "vulnerability_id": "VCID-4geq-pnnp-3fd8", "summary": "Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery\nA malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.\n\nThis only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30925", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05992", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0604", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06044", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06056", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30925" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30925", "reference_id": "CVE-2026-30925", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30925" }, { "reference_url": "https://github.com/advisories/GHSA-mf3j-86qx-cq5j", "reference_id": "GHSA-mf3j-86qx-cq5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mf3j-86qx-cq5j" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j", "reference_id": "GHSA-mf3j-86qx-cq5j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74672?format=api", "purl": "pkg:npm/parse-server@8.6.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/74671?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.14" } ], "aliases": [ "CVE-2026-30925", "GHSA-mf3j-86qx-cq5j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4geq-pnnp-3fd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50878?format=api", "vulnerability_id": "VCID-51jb-xry5-5qc2", "summary": "Parse Server has a protected fields bypass via dot-notation in query and sort\nThe `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.\n\nThis affects both MongoDB and PostgreSQL deployments.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15452", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15535", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15575", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15585", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872", "reference_id": "CVE-2026-31872", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872" }, { "reference_url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74840?format=api", "purl": "pkg:npm/parse-server@8.6.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/74839?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6" } ], "aliases": [ "CVE-2026-31872", "GHSA-r2m8-pxm9-9c4g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-51jb-xry5-5qc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48332?format=api", "vulnerability_id": "VCID-5cyt-1hbn-pkgb", "summary": "Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format\nA Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64430", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.2219", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22244", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22291", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22304", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64430" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9903", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9903" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9904", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9904" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64430", "reference_id": "CVE-2025-64430", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64430" }, { "reference_url": "https://github.com/advisories/GHSA-x4qj-2f4q-r4rx", "reference_id": "GHSA-x4qj-2f4q-r4rx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x4qj-2f4q-r4rx" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx", "reference_id": "GHSA-x4qj-2f4q-r4rx", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-07T18:22:45Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71334?format=api", "purl": "pkg:npm/parse-server@7.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/811427?format=api", "purl": "pkg:npm/parse-server@8.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/71335?format=api", "purl": "pkg:npm/parse-server@8.4.0-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.4.0-alpha.2" } ], "aliases": [ "CVE-2025-64430", "GHSA-x4qj-2f4q-r4rx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cyt-1hbn-pkgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90901?format=api", "vulnerability_id": "VCID-5j87-2q5c-cqdf", "summary": "GraphQL API endpoint ignores CORS origin restriction\n### Impact\n\nThe GraphQL API endpoint does not respect the `allowOrigin` server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured `allowOrigin` restriction.\n\n### Patches\n\nThe GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the `allowOrigin` and `allowHeaders` server options are consistently enforced across all endpoints.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05178", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05191", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06185", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06231", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10334", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10334" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10335", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10335" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373" }, { "reference_url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112827?format=api", "purl": "pkg:npm/parse-server@8.6.66", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.66" }, { "url": "http://public2.vulnerablecode.io/api/packages/112824?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10" } ], "aliases": [ "CVE-2026-34373", "GHSA-q3p6-g7c4-829c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5j87-2q5c-cqdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91315?format=api", "vulnerability_id": "VCID-5tkj-suz2-hyf2", "summary": "Parse Server affected by empty authData bypassing credential requirement on signup\n### Impact\n\nA user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.\n\n### Patches\n\nThe fix ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present.\n\n### Workarounds\n\nUse a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02007", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01991", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02004", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02015", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10219", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10219" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10220", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10220" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042" }, { "reference_url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "GHSA-wjqw-r9x4-j59v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113424?format=api", "purl": "pkg:npm/parse-server@8.6.49", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.49" }, { "url": "http://public2.vulnerablecode.io/api/packages/113422?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.29" } ], "aliases": [ "CVE-2026-33042", "GHSA-wjqw-r9x4-j59v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tkj-suz2-hyf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50903?format=api", "vulnerability_id": "VCID-5tn5-f5x6-afbh", "summary": "Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause\nAn attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16526", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.164", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16481", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16523", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098", "reference_id": "CVE-2026-32098", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098" }, { "reference_url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74861?format=api", "purl": "pkg:npm/parse-server@8.6.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.35" }, { "url": "http://public2.vulnerablecode.io/api/packages/74860?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.9" } ], "aliases": [ "CVE-2026-32098", "GHSA-j7mm-f4rv-6q6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tn5-f5x6-afbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49449?format=api", "vulnerability_id": "VCID-5web-hc9c-kbhe", "summary": "Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables\nA Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68115", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07285", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07329", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07349", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07343", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68115" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9985", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T21:15:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9985" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9986", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T21:15:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9986" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68115", "reference_id": "CVE-2025-68115", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68115" }, { "reference_url": "https://github.com/advisories/GHSA-jhgf-2h8h-ggxv", "reference_id": "GHSA-jhgf-2h8h-ggxv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jhgf-2h8h-ggxv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv", "reference_id": "GHSA-jhgf-2h8h-ggxv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T21:15:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72999?format=api", "purl": "pkg:npm/parse-server@8.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/73000?format=api", "purl": "pkg:npm/parse-server@9.1.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.1.0-alpha.3" } ], "aliases": [ "CVE-2025-68115", "GHSA-jhgf-2h8h-ggxv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5web-hc9c-kbhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50770?format=api", "vulnerability_id": "VCID-67gc-6w6e-rkcg", "summary": "Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory\nThe `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`).\n\nThis affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory name.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30848", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06427", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06473", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06483", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06489", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30848" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30848", "reference_id": "CVE-2026-30848", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30848" }, { "reference_url": "https://github.com/advisories/GHSA-hm3f-q6rw-m6wh", "reference_id": "GHSA-hm3f-q6rw-m6wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm3f-q6rw-m6wh" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh", "reference_id": "GHSA-hm3f-q6rw-m6wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:49Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74564?format=api", "purl": "pkg:npm/parse-server@8.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/74565?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.8" } ], "aliases": [ "CVE-2026-30848", "GHSA-hm3f-q6rw-m6wh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-67gc-6w6e-rkcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90996?format=api", "vulnerability_id": "VCID-6bmy-ymay-zfdm", "summary": "Parse Server vulnerable to schema poisoning via prototype pollution in deep copy\n### Impact\n\nAn attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key.\n\n### Patches\n\nThe vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword.\n\n### Workarounds\n\nNone.\n\n### Vulnerability Independence\n\nThis vulnerability is not caused by or dependent on a vulnerability in a third-party dependency.\n\nThe third-party `deepcopy` library that was replaced in the fix has no known CVE or security advisory regarding this. The library functions as designed. It is not vulnerable.\n\nThe vulnerability is in parse-server's own request processing logic. Parse-server's security-critical keyword denylist check runs after the deep copy step in the request pipeline. The deep copy step strips `__proto__` properties as a normal part of its cloning behavior, which means the denylist check never sees the prohibited key. This allows an attacker to bypass both the denylist protection and class-level permissions for adding fields, resulting in schema poisoning.\n\nThe root cause is parse-server's reliance on a cloning mechanism that alters the shape of the data before the security check can inspect it. This is a logic flaw in parse-server's security pipeline, not a vulnerability in a dependency. Replacing the cloning mechanism was the fix for parse-server's own bug.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0361", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03592", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03616", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03624", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10200", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10200" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10201", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10201" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878" }, { "reference_url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "GHSA-9ccr-fpp6-78qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112995?format=api", "purl": "pkg:npm/parse-server@8.6.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.44" }, { "url": "http://public2.vulnerablecode.io/api/packages/112994?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.20" } ], "aliases": [ "CVE-2026-32878", "GHSA-9ccr-fpp6-78qf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bmy-ymay-zfdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44343?format=api", "vulnerability_id": "VCID-7ne4-7a82-9yfx", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22474", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49243", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49218", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49206", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49236", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49182", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.49253", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22474" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-01T17:36:20Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/e016d813e083ce6828f9abce245d15b681a224d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22474", "reference_id": "CVE-2023-22474", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22474" }, { "reference_url": "https://github.com/advisories/GHSA-vm5r-c87r-pf6x", "reference_id": "GHSA-vm5r-c87r-pf6x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vm5r-c87r-pf6x" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x", "reference_id": "GHSA-vm5r-c87r-pf6x", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-01T17:36:20Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63830?format=api", "purl": "pkg:npm/parse-server@5.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-msej-ykyc-qyhp" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.4.1" } ], "aliases": [ "CVE-2023-22474", "GHSA-vm5r-c87r-pf6x", "GMS-2023-196" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7ne4-7a82-9yfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50852?format=api", "vulnerability_id": "VCID-7spb-rcbx-w7gn", "summary": "Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL\nA SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The `amount` value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs.\n\nMongoDB deployments are not affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13198", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13276", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13317", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13313", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856", "reference_id": "CVE-2026-31856", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856" }, { "reference_url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74771?format=api", "purl": "pkg:npm/parse-server@8.6.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.29" }, { "url": "http://public2.vulnerablecode.io/api/packages/74770?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3" } ], "aliases": [ "CVE-2026-31856", "GHSA-q3vj-96h2-gwvg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7spb-rcbx-w7gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50828?format=api", "vulnerability_id": "VCID-7xk3-yn6w-nfd1", "summary": "Parse Server has a rate limit bypass via batch request endpoint\nParse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (`/batch`) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.\n\nAny Parse Server deployment that relies on the built-in rate limiting feature is affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19383", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19453", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19496", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19502", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30972" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972", "reference_id": "CVE-2026-30972", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972" }, { "reference_url": "https://github.com/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-775h-3xrc-c228" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228", "reference_id": "GHSA-775h-3xrc-c228", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74681?format=api", "purl": "pkg:npm/parse-server@8.6.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/74680?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10" } ], "aliases": [ "CVE-2026-30972", "GHSA-775h-3xrc-c228" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7xk3-yn6w-nfd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90956?format=api", "vulnerability_id": "VCID-82fj-6jd2-hqc1", "summary": "LiveQuery protected field leak via shared mutable state across concurrent subscribers\n### Impact\n\nWhen multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.\n\nAdditionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state.\n\nAny Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.\n\n### Patches\n\nThe fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter.\n\n### Workarounds\n\nThere is no known workaround.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06809", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0681", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06847", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06813", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10330", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10330" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10331", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10331" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363" }, { "reference_url": "https://github.com/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m983-v2ff-wq65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112926?format=api", "purl": "pkg:npm/parse-server@8.6.65", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.65" }, { "url": "http://public2.vulnerablecode.io/api/packages/112925?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9" } ], "aliases": [ "CVE-2026-34363", "GHSA-m983-v2ff-wq65" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-82fj-6jd2-hqc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50731?format=api", "vulnerability_id": "VCID-8d4r-sv2m-hqhe", "summary": "Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction\nParse Server's `readOnlyMasterKey` option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the `readOnlyMasterKey` for mutating operations. This allows a caller who only holds the `readOnlyMasterKey` to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration.\n\nAny Parse Server deployment that uses the `readOnlyMasterKey` option is affected. Note than an attacker needs to know the `readOnlyMasterKey` to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29182", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06834", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06871", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06887", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06883", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29182" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:29:41Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.4" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:29:41Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.4.1-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29182", "reference_id": "CVE-2026-29182", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29182" }, { "reference_url": "https://github.com/advisories/GHSA-vc89-5g3r-cmhh", "reference_id": "GHSA-vc89-5g3r-cmhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vc89-5g3r-cmhh" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh", "reference_id": "GHSA-vc89-5g3r-cmhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:29:41Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74516?format=api", "purl": "pkg:npm/parse-server@8.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/74515?format=api", "purl": "pkg:npm/parse-server@9.4.1-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.4.1-alpha.3" } ], "aliases": [ "CVE-2026-29182", "GHSA-vc89-5g3r-cmhh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8d4r-sv2m-hqhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50853?format=api", "vulnerability_id": "VCID-8gsh-j1b9-3bew", "summary": "Parse Server has a bypass of class-level permissions in LiveQuery\nClass-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions.\n\nAll Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30947", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05247", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05287", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05293", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05309", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30947" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.16" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30947", "reference_id": "CVE-2026-30947", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30947" }, { "reference_url": "https://github.com/advisories/GHSA-7ch5-98q2-7289", "reference_id": "GHSA-7ch5-98q2-7289", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7ch5-98q2-7289" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289", "reference_id": "GHSA-7ch5-98q2-7289", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:42:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74773?format=api", "purl": "pkg:npm/parse-server@8.6.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74772?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.3" } ], "aliases": [ "CVE-2026-30947", "GHSA-7ch5-98q2-7289" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8gsh-j1b9-3bew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50841?format=api", "vulnerability_id": "VCID-8xmh-99mq-ybbf", "summary": "Parse Server OAuth2 authentication adapter account takeover via identity spoofing\nThe OAuth2 authentication adapter, when configured without the `useridField` option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by `authData.id`. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user.\n\nThis affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with `oauth2: true`) without setting the `useridField` option.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31593", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31626", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31664", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31698", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30967" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.22" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967", "reference_id": "CVE-2026-30967", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30967" }, { "reference_url": "https://github.com/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fr88-w35c-r596" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596", "reference_id": "GHSA-fr88-w35c-r596", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74720?format=api", "purl": "pkg:npm/parse-server@8.6.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/74719?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9" } ], "aliases": [ "CVE-2026-30967", "GHSA-fr88-w35c-r596" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8xmh-99mq-ybbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50803?format=api", "vulnerability_id": "VCID-8zde-nj53-ebhu", "summary": "Parse Server: SQL injection via dot-notation field name in PostgreSQL\nAn attacker can use a dot-notation field name in combination with the `sort` query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the `distinct` and `where` query parameters.\n\nThis vulnerability only affects deployments using a PostgreSQL database.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22069", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22124", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22173", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22186", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840", "reference_id": "CVE-2026-31840", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840" }, { "reference_url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74624?format=api", "purl": "pkg:npm/parse-server@8.6.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.28" }, { "url": "http://public2.vulnerablecode.io/api/packages/74623?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.2" } ], "aliases": [ "CVE-2026-31840", "GHSA-qpr4-jrj4-6f27" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8zde-nj53-ebhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50820?format=api", "vulnerability_id": "VCID-9fqm-a5xk-j7d5", "summary": "Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement\nThe `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique.\n\nAll Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20885", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2095", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20995", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21009", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30938" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.12" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938", "reference_id": "CVE-2026-30938", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30938" }, { "reference_url": "https://github.com/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q342-9w2p-57fp" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp", "reference_id": "GHSA-q342-9w2p-57fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74663?format=api", "purl": "pkg:npm/parse-server@8.6.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/74664?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1" } ], "aliases": [ "CVE-2026-30938", "GHSA-q342-9w2p-57fp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9fqm-a5xk-j7d5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50923?format=api", "vulnerability_id": "VCID-9kyv-xmvr-nfgf", "summary": "Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance\nParse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy.\n\nDeployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20637", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20513", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20582", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20625", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242", "reference_id": "CVE-2026-32242", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242" }, { "reference_url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74885?format=api", "purl": "pkg:npm/parse-server@8.6.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/74884?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.11" } ], "aliases": [ "CVE-2026-32242", "GHSA-2cjm-2gwv-m892" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9kyv-xmvr-nfgf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110121?format=api", "vulnerability_id": "VCID-9zya-mcv5-s7g8", "summary": "Remote code execution via MongoDB BSON parser through prototype pollution\n### Impact\n\nAn attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. \n\n### Patches\n\nPrevent prototype pollution in MongoDB database adapter.\n\n### Workarounds\n\nDisable remote code execution through the MongoDB BSON parser.\n\n### Collaborators\n\nMikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39396", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.10994", "scoring_system": "epss", "scoring_elements": "0.93564", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.10994", "scoring_system": "epss", "scoring_elements": "0.93579", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.10994", "scoring_system": "epss", "scoring_elements": "0.93572", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.10994", "scoring_system": "epss", "scoring_elements": "0.93574", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39396" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8295", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8295" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8296", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8296" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/4.10.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.18" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/5.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/5.3.1" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:48:14Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39396", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39396" }, { "reference_url": "https://github.com/advisories/GHSA-prm5-8g2m-24gg", "reference_id": "GHSA-prm5-8g2m-24gg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-prm5-8g2m-24gg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148553?format=api", "purl": "pkg:npm/parse-server@5.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7ne4-7a82-9yfx" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-k86f-a3gq-hbbv" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-msej-ykyc-qyhp" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-v7yq-ntze-e3b1" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.3.1" } ], "aliases": [ "CVE-2022-39396", "GHSA-prm5-8g2m-24gg", "GMS-2022-6498" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9zya-mcv5-s7g8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91211?format=api", "vulnerability_id": "VCID-agc3-jfsf-kbhh", "summary": "Parse Server has an auth provider validation bypass on login via partial authData\n### Impact\n\nAn authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.\n\nThis affects Parse Server deployments where the server option `allowExpiredAuthDataToken` is set to `true`. The default value is `false`.\n\n### Patches\n\nAuth providers are now always validated on login, regardless of the `allowExpiredAuthDataToken` setting. The option `allowExpiredAuthDataToken` has been deprecated and will be removed in a future major version.\n\n### Workarounds\n\nSet `allowExpiredAuthDataToken` to `false` (the default) or remove the option from the server configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08515", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0844", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08494", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08497", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10246", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10246" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10247", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10247" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409" }, { "reference_url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "GHSA-pfj7-wv7c-22pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113245?format=api", "purl": "pkg:npm/parse-server@8.6.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/113244?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41" } ], "aliases": [ "CVE-2026-33409", "GHSA-pfj7-wv7c-22pr" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-agc3-jfsf-kbhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50845?format=api", "vulnerability_id": "VCID-au5b-pexg-tubt", "summary": "Parse Server has role escalation and CLP bypass via direct `_Join` table write\nParse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required.\n\nAn attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a `pointerFields` CLP bypasses that access control.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20045", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20111", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20151", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20158", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30966" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.20" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966", "reference_id": "CVE-2026-30966", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30966" }, { "reference_url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5f92-jrq3-28rc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc", "reference_id": "GHSA-5f92-jrq3-28rc", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74730?format=api", "purl": "pkg:npm/parse-server@8.6.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/74729?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7" } ], "aliases": [ "CVE-2026-30966", "GHSA-5f92-jrq3-28rc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-au5b-pexg-tubt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47175?format=api", "vulnerability_id": "VCID-avfq-2nfn-fkdw", "summary": "ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection\n### Impact\n\nThis vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.\n\n### Patches\n\nThe algorithm to detect SQL injection has been improved.\n\n### Workarounds\n\nNone.\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2\n- https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6)\n- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release)\n\n### Credits\n\n- Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder)\n- Ehsan Persania (remediation developer)\n- Manuel Trezza (coordinator)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54819", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.5482", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54799", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54825", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54815", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27298" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-05T15:39:53Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-05T15:39:53Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-05T15:39:53Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.0" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-05T15:39:53Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27298", "reference_id": "CVE-2024-27298", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27298" }, { "reference_url": "https://github.com/advisories/GHSA-6927-3vr9-fxf2", "reference_id": "GHSA-6927-3vr9-fxf2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6927-3vr9-fxf2" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2", "reference_id": "GHSA-6927-3vr9-fxf2", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-05T15:39:53Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69221?format=api", "purl": "pkg:npm/parse-server@6.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/69222?format=api", "purl": "pkg:npm/parse-server@7.0.0-alpha.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.0.0-alpha.20" } ], "aliases": [ "CVE-2024-27298", "GHSA-6927-3vr9-fxf2" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-avfq-2nfn-fkdw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49454?format=api", "vulnerability_id": "VCID-b3ks-95ke-m7dz", "summary": "Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter\nThe Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24564", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24621", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24678", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24688", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68150" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9988", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9988" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9989", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9989" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68150", "reference_id": "CVE-2025-68150", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68150" }, { "reference_url": "https://github.com/advisories/GHSA-3f5f-xgrj-97pf", "reference_id": "GHSA-3f5f-xgrj-97pf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f5f-xgrj-97pf" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf", "reference_id": "GHSA-3f5f-xgrj-97pf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-17T14:50:51Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73013?format=api", "purl": "pkg:npm/parse-server@8.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/73012?format=api", "purl": "pkg:npm/parse-server@9.1.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.1.1-alpha.1" } ], "aliases": [ "CVE-2025-68150", "GHSA-3f5f-xgrj-97pf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3ks-95ke-m7dz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55456?format=api", "vulnerability_id": "VCID-bgdt-2pkg-rbaj", "summary": "ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability\nThis vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39309", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03791", "scoring_system": "epss", "scoring_elements": "0.8832", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.03791", "scoring_system": "epss", "scoring_elements": "0.88305", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.03791", "scoring_system": "epss", "scoring_elements": "0.88304", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03791", "scoring_system": "epss", "scoring_elements": "0.88302", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39309" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-02T17:29:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-02T17:29:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9167", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-02T17:29:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9167" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9168", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-02T17:29:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9168" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39309", "reference_id": "CVE-2024-39309", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39309" }, { "reference_url": "https://github.com/advisories/GHSA-c2hr-cqg6-8j6r", "reference_id": "GHSA-c2hr-cqg6-8j6r", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c2hr-cqg6-8j6r" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r", "reference_id": "GHSA-c2hr-cqg6-8j6r", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-02T17:29:00Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81997?format=api", "purl": "pkg:npm/parse-server@6.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.5.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/81998?format=api", "purl": "pkg:npm/parse-server@7.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.1.0" } ], "aliases": [ "CVE-2024-39309", "GHSA-c2hr-cqg6-8j6r" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bgdt-2pkg-rbaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91292?format=api", "vulnerability_id": "VCID-c1nt-b6by-m7hu", "summary": "Parse Server exposes auth data via /users/me endpoint\n### Impact\n\nAn authenticated user calling `GET /users/me` receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely.\n\n### Patches\n\nThe `/users/me` endpoint now queries the session and user data separately, using the caller's authentication context for the user query so that all security layers apply correctly.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11932", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12006", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12044", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12048", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627" }, { "reference_url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113378?format=api", "purl": "pkg:npm/parse-server@8.6.61", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.61" }, { "url": "http://public2.vulnerablecode.io/api/packages/113375?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.55", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55" } ], "aliases": [ "CVE-2026-33627", "GHSA-37mj-c2wf-cx96" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1nt-b6by-m7hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50865?format=api", "vulnerability_id": "VCID-caaw-qhvr-nqaz", "summary": "Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload\nA stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with `Content-Type: image/svg+xml` and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from `localStorage` and achieve account takeover.\n\nThe default `fileExtensions` option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06017", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06064", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06067", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0608", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30948" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.17" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30948", "reference_id": "CVE-2026-30948", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30948" }, { "reference_url": "https://github.com/advisories/GHSA-hcj7-6gxh-24ww", "reference_id": "GHSA-hcj7-6gxh-24ww", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hcj7-6gxh-24ww" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww", "reference_id": "GHSA-hcj7-6gxh-24ww", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:41:33Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74804?format=api", "purl": "pkg:npm/parse-server@8.6.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/74803?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.4" } ], "aliases": [ "CVE-2026-30948", "GHSA-hcj7-6gxh-24ww" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-caaw-qhvr-nqaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91263?format=api", "vulnerability_id": "VCID-crd1-u2dd-6yh2", "summary": "Parse Server: Denial of Service via unindexed database query for unconfigured auth providers\n### Impact\n\nAn unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.\n\n### Patches\n\nThe fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34147", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34097", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34131", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34163", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10270", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10270" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10271", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10271" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538" }, { "reference_url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113343?format=api", "purl": "pkg:npm/parse-server@8.6.58", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.58" }, { "url": "http://public2.vulnerablecode.io/api/packages/113342?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52" } ], "aliases": [ "CVE-2026-33538", "GHSA-g4cf-xj29-wqqr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-crd1-u2dd-6yh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91861?format=api", "vulnerability_id": "VCID-cuaf-2g3g-tuap", "summary": "Parse Server's LiveQuery bypasses CLP pointer permission enforcement\n### Impact\n\nParse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (`readUserFields` and `pointerFields`). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API.\n\n### Patches\n\nThe LiveQuery server now enforces pointer permissions on each event. After the existing check passes (which defers pointer permissions by design), the fix checks whether any configured pointer field on the object points to the subscribing user. Events for objects that don't match are silently skipped, consistent with how ACL mismatches are handled.\n\n### Workarounds\n\nUse ACLs on individual objects to restrict read access instead of relying solely on CLP pointer permissions. ACLs are enforced by LiveQuery.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01794", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01784", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01799", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01793", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10250", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10250" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10252", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10252" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421" }, { "reference_url": "https://github.com/advisories/GHSA-fph2-r4qg-9576", "reference_id": "GHSA-fph2-r4qg-9576", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fph2-r4qg-9576" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114354?format=api", "purl": "pkg:npm/parse-server@8.6.53", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.53" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/114353?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42" } ], "aliases": [ "CVE-2026-33421", "GHSA-fph2-r4qg-9576" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cuaf-2g3g-tuap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91082?format=api", "vulnerability_id": "VCID-cuct-x9ub-1bd9", "summary": "Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter\n### Impact\n\nAn attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.\n\nOnly Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.\n\n### Patches\n\nField names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter.\n\n### Workarounds\n\nNo workaround. Upgrade to a patched version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07071", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07116", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07129", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07123", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10272", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10272" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10273", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10273" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539" }, { "reference_url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113104?format=api", "purl": "pkg:npm/parse-server@8.6.59", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.59" }, { "url": "http://public2.vulnerablecode.io/api/packages/113103?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.53", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53" } ], "aliases": [ "CVE-2026-33539", "GHSA-p2w6-rmh7-w8q3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cuct-x9ub-1bd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45511?format=api", "vulnerability_id": "VCID-d13k-gc2w-7yc1", "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nParse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36475", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.09829", "scoring_system": "epss", "scoring_elements": "0.93122", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.09829", "scoring_system": "epss", "scoring_elements": "0.93125", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.09829", "scoring_system": "epss", "scoring_elements": "0.93127", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.09829", "scoring_system": "epss", "scoring_elements": "0.93132", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.09829", "scoring_system": "epss", "scoring_elements": "0.93129", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36475" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f" }, { "reference_url": "https://github.com/parse-community/parse-server/issues/8674", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/issues/8674" }, { "reference_url": "https://github.com/parse-community/parse-server/issues/8675", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/issues/8675" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36475", "reference_id": "CVE-2023-36475", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36475" }, { "reference_url": "https://github.com/advisories/GHSA-462x-c3jw-7vr6", "reference_id": "GHSA-462x-c3jw-7vr6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-462x-c3jw-7vr6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6", "reference_id": "GHSA-462x-c3jw-7vr6", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-27T14:43:51Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65795?format=api", "purl": "pkg:npm/parse-server@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/660261?format=api", "purl": "pkg:npm/parse-server@6.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/65796?format=api", "purl": "pkg:npm/parse-server@6.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/660266?format=api", "purl": "pkg:npm/parse-server@6.3.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.3.0-alpha.1" } ], "aliases": [ "CVE-2023-36475", "GHSA-462x-c3jw-7vr6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d13k-gc2w-7yc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90016?format=api", "vulnerability_id": "VCID-davb-xyy3-2qf1", "summary": "Parse Server: File upload Content-Type override via extension mismatch\n### Impact\n\nA file can be uploaded with a filename extension that passes the file extension allowlist (e.g., `.txt`) but with a `Content-Type` header that differs from the extension (e.g., `text/html`). The `Content-Type` is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time.\n\n### Patches\n\nThe file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension.\n\n### Workarounds\n\nConfigure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09853", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09937", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09965", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0995", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10383", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10383" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10384", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10384" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200" }, { "reference_url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111281?format=api", "purl": "pkg:npm/parse-server@8.6.73", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.73" }, { "url": "http://public2.vulnerablecode.io/api/packages/111280?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4" } ], "aliases": [ "CVE-2026-35200", "GHSA-vr5f-2r24-w5hc" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-davb-xyy3-2qf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50837?format=api", "vulnerability_id": "VCID-dazy-p9qb-7qgk", "summary": "Parse Server missing audience validation in Keycloak authentication adapter\nThe Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured `client-id`. A valid access token issued by the same Keycloak realm for a *different* client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms.\n\nAll Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14585", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14668", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.1471", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14704", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30949" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.18" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30949", "reference_id": "CVE-2026-30949", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30949" }, { "reference_url": "https://github.com/advisories/GHSA-48mh-j4p5-7j9v", "reference_id": "GHSA-48mh-j4p5-7j9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48mh-j4p5-7j9v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v", "reference_id": "GHSA-48mh-j4p5-7j9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-10T20:40:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-48mh-j4p5-7j9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74713?format=api", "purl": "pkg:npm/parse-server@8.6.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/74712?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.5" } ], "aliases": [ "CVE-2026-30949", "GHSA-48mh-j4p5-7j9v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dazy-p9qb-7qgk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91830?format=api", "vulnerability_id": "VCID-eh2m-7t9f-tqdm", "summary": "Parse Server leaks protected fields via LiveQuery afterEvent trigger\n### Impact\n\nWhen a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave).\n\nAny user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.\n\n### Patches\n\nThe vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients.\n\n### Workarounds\n\nRemove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11607", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11488", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11569", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11603", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10232", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10232" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10233", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10233" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163" }, { "reference_url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "GHSA-5hmj-jcgp-6hff", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114264?format=api", "purl": "pkg:npm/parse-server@8.6.50", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.50" }, { "url": "http://public2.vulnerablecode.io/api/packages/114262?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.35" } ], "aliases": [ "CVE-2026-33163", "GHSA-5hmj-jcgp-6hff" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eh2m-7t9f-tqdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91182?format=api", "vulnerability_id": "VCID-f6mm-th5w-fug4", "summary": "parse-server has cloud function validator bypass via prototype chain traversal\n### Impact\n\nAn attacker can bypass Cloud Function validator access controls by appending `.prototype.constructor` to the function name in the URL. When a Cloud Function handler is declared using the `function` keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.\n\nThis allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as `requireUser`, `requireMaster`, or custom validation logic.\n\n### Patches\n\nThe trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.\n\n### Workarounds\n\nUse arrow functions instead of the `function` keyword for Cloud Function handlers. Arrow functions do not have a `prototype` property and are not affected by this vulnerability.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12939", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12936", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13539", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13626", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10342", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10342" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10343", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10343" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532" }, { "reference_url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113211?format=api", "purl": "pkg:npm/parse-server@8.6.67", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.67" }, { "url": "http://public2.vulnerablecode.io/api/packages/113209?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11" } ], "aliases": [ "CVE-2026-34532", "GHSA-vpj2-qq7w-5qq6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6mm-th5w-fug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91285?format=api", "vulnerability_id": "VCID-faws-rh1j-tba1", "summary": "Parse Server's Cloud function dispatch crashes server via prototype chain traversal\n### Impact\n\nRemote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.\n\n### Patches\n\nThe fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09562", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09502", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09582", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10210", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10210" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10211", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10211" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886" }, { "reference_url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "GHSA-4263-jgmp-7pf4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113374?format=api", "purl": "pkg:npm/parse-server@8.6.47", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.47" }, { "url": "http://public2.vulnerablecode.io/api/packages/113373?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.24" } ], "aliases": [ "CVE-2026-32886", "GHSA-4263-jgmp-7pf4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-faws-rh1j-tba1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91025?format=api", "vulnerability_id": "VCID-fnb8-edpu-e3e3", "summary": "Parse Server LiveQuery subscription query depth bypass\n### Impact\n\nParse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.\n\nDeployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.\n\n### Patches\n\nThe fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20459", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20391", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20499", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20511", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10259", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10259" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10260", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10260" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508" }, { "reference_url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "GHSA-6qh5-m6g3-xhq6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113031?format=api", "purl": "pkg:npm/parse-server@8.6.56", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.56" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/113029?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45" } ], "aliases": [ "CVE-2026-33508", "GHSA-6qh5-m6g3-xhq6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fnb8-edpu-e3e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91404?format=api", "vulnerability_id": "VCID-g9mj-kud1-d7a3", "summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server\n### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13299", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13185", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13263", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13303", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10197", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10197" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10199", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10199" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770" }, { "reference_url": "https://github.com/advisories/GHSA-827p-g5x5-h86c", "reference_id": "GHSA-827p-g5x5-h86c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-827p-g5x5-h86c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113568?format=api", "purl": "pkg:npm/parse-server@8.6.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.43" }, { "url": "http://public2.vulnerablecode.io/api/packages/113567?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.19" } ], "aliases": [ "CVE-2026-32770", "GHSA-827p-g5x5-h86c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9mj-kud1-d7a3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46270?format=api", "vulnerability_id": "VCID-gkng-gbtu-hkc1", "summary": "Parse Server may crash when uploading file without extension\n### Impact\n\nParse Server crashes when uploading a file without extension.\n\n### Patches\n\nA permanent fix has been implemented to prevent the server from crashing.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579\n- Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1\n- Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46119", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0057", "scoring_system": "epss", "scoring_elements": "0.68987", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0057", "scoring_system": "epss", "scoring_elements": "0.69003", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0057", "scoring_system": "epss", "scoring_elements": "0.69009", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0057", "scoring_system": "epss", "scoring_elements": "0.69007", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0057", "scoring_system": "epss", "scoring_elements": "0.69", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46119" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:28:20Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:28:20Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:28:20Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:28:20Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46119", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46119" }, { "reference_url": "https://github.com/advisories/GHSA-792q-q67h-w579", "reference_id": "GHSA-792q-q67h-w579", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-792q-q67h-w579" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579", "reference_id": "GHSA-792q-q67h-w579", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:28:20Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67481?format=api", "purl": "pkg:npm/parse-server@5.5.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.5.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/67482?format=api", "purl": "pkg:npm/parse-server@6.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.3.1" } ], "aliases": [ "CVE-2023-46119", "GHSA-792q-q67h-w579" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gkng-gbtu-hkc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91458?format=api", "vulnerability_id": "VCID-gzbr-zm1b-nkfc", "summary": "Parse Server has a query condition depth bypass via pre-validation transform pipeline\n### Impact\n\nAn attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.\n\n### Patches\n\nThe query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06017", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06079", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06064", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06067", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10257", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10257" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10258", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10258" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498" }, { "reference_url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "GHSA-9fjp-q3c4-6w3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113705?format=api", "purl": "pkg:npm/parse-server@8.6.55", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.55" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/113704?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44" } ], "aliases": [ "CVE-2026-33498", "GHSA-9fjp-q3c4-6w3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzbr-zm1b-nkfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91824?format=api", "vulnerability_id": "VCID-h8hu-n8dv-ybhy", "summary": "Parse Server session creation endpoint allows overwriting server-generated session fields\n### Impact\n\nAn authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.\n\n### Patches\n\nThe session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.\n\n### Workarounds\n\nAdd a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05951", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05898", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05942", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05943", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10195", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10195" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10196", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10196" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742" }, { "reference_url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "GHSA-5v7g-9h8f-8pgg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114234?format=api", "purl": "pkg:npm/parse-server@8.6.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/114231?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.17" } ], "aliases": [ "CVE-2026-32742", "GHSA-5v7g-9h8f-8pgg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8hu-n8dv-ybhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91095?format=api", "vulnerability_id": "VCID-h8ut-tkq6-r7e2", "summary": "Parse Server has an MFA single-use token bypass via concurrent authData login requests\n### Impact\n\nAn attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.\n\n### Patches\n\nThe fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04623", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0466", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05506", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05523", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10326", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10326" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10327", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10327" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224" }, { "reference_url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113117?format=api", "purl": "pkg:npm/parse-server@8.6.64", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.64" }, { "url": "http://public2.vulnerablecode.io/api/packages/113116?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8" } ], "aliases": [ "CVE-2026-34224", "GHSA-w73w-g5xw-rwhf" ], "risk_score": 2.0, "exploitability": "0.5", "weighted_severity": "4.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8ut-tkq6-r7e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91687?format=api", "vulnerability_id": "VCID-j6q8-5bxf-7fcf", "summary": "Parse Server email verification resend page leaks user existence\n### Impact\n\nThe Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route against this, did not apply to these routes.\n\n### Patches\n\nThe email verification resend routes now respect the `emailVerifySuccessOnInvalidEmail` option. When set to `true` (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration.\n\n### Workarounds\n\nThere is no known workaround to prevent the information disclosure other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16109", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16023", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16154", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16164", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10238", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10238" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10243", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10243" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323" }, { "reference_url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "GHSA-h29g-q5c2-9h4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113979?format=api", "purl": "pkg:npm/parse-server@8.6.51", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.51" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/113978?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40" } ], "aliases": [ "CVE-2026-33323", "GHSA-h29g-q5c2-9h4f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6q8-5bxf-7fcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91633?format=api", "vulnerability_id": "VCID-j9vu-d52s-ekgq", "summary": "Parse Server: MFA recovery code single-use bypass via concurrent requests\n### Impact\n\nAn attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds.\n\n### Patches\n\nThe login handler now uses optimistic locking when updating auth data that contains consumed single-use tokens. If a concurrent request has already modified the recovery array, the update fails and the login is rejected.\n\n### Workarounds\n\nThere are no known workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09798", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09882", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09909", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09895", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10275", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10275" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10276", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10276" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624" }, { "reference_url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113940?format=api", "purl": "pkg:npm/parse-server@8.6.60", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.60" }, { "url": "http://public2.vulnerablecode.io/api/packages/113939?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54" } ], "aliases": [ "CVE-2026-33624", "GHSA-2299-ghjr-6vjp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j9vu-d52s-ekgq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50400?format=api", "vulnerability_id": "VCID-jnuv-zhzb-nygr", "summary": "Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter\nAn unauthenticated attacker can forge a Google authentication token with `alg: \"none\"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.1203", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12105", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12142", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12143", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27804" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-26T17:03:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/9b94083accb7f3e72c6b8126c195c7a03dd2dfd7" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-26T17:03:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/9d5942d50e55c822924c27b05aa98f1393e7a330" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-26T17:03:17Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.3" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-26T17:03:17Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.3.1-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27804", "reference_id": "CVE-2026-27804", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27804" }, { "reference_url": "https://github.com/advisories/GHSA-4q3h-vp4r-prv2", "reference_id": "GHSA-4q3h-vp4r-prv2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4q3h-vp4r-prv2" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2", "reference_id": "GHSA-4q3h-vp4r-prv2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-26T17:03:17Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4q3h-vp4r-prv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74291?format=api", "purl": "pkg:npm/parse-server@8.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/74290?format=api", "purl": "pkg:npm/parse-server@9.3.1-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.3.1-alpha.4" } ], "aliases": [ "CVE-2026-27804", "GHSA-4q3h-vp4r-prv2" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jnuv-zhzb-nygr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92106?format=api", "vulnerability_id": "VCID-jsgf-t1ga-x7eq", "summary": "parse-server: MFA SMS one-time password accepted twice under concurrent login\n### Impact\n\nA race condition in the MFA SMS one-time password (OTP) login path allows two concurrent `/login` requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow.\n\nThis advisory is the same class of incomplete fix as [GHSA-2299-ghjr-6vjp](https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp) (TOTP recovery codes) and [GHSA-w73w-g5xw-rwhf](https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf) (MFA recovery in authData-only login). Those previous fixes added optimistic locking only for array-typed authData fields; SMS MFA stores the OTP as a string, so the guard skipped it.\n\n### Patches\n\nThe optimistic lock has been generalized to cover primitive (string, number, boolean) and array authData fields. The lock is implemented as a shared helper `applyAuthDataOptimisticLock` that adds equality predicates on the original values of changed fields to the update WHERE clause. Concurrent writers racing the same single-use token now miss the WHERE condition and surface as `Invalid auth data`.\n\n### Workarounds\n\n- Disable SMS MFA and use TOTP instead (TOTP tokens are time-window validated, not stored single-use).\n- Place a rate limiter on the `/login` endpoint to reduce concurrent-request burst capacity.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10448\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10449", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01113", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01107", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10448", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10448" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10449", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10449" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930" }, { "reference_url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114676?format=api", "purl": "pkg:npm/parse-server@8.6.76", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.76" }, { "url": "http://public2.vulnerablecode.io/api/packages/114675?format=api", "purl": "pkg:npm/parse-server@9.9.0-alpha.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2" } ], "aliases": [ "CVE-2026-43930", "GHSA-jpq4-7fmq-q5fj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsgf-t1ga-x7eq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110200?format=api", "vulnerability_id": "VCID-k86f-a3gq-hbbv", "summary": "Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers\n### Impact\n\nKeywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nConfigure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68058", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68098", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68082", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68097", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68105", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68096", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41878" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8301", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8301" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8302", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8302" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:49Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41878", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41878" }, { "reference_url": "https://github.com/advisories/GHSA-xprv-wvh7-qqqx", "reference_id": "GHSA-xprv-wvh7-qqqx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xprv-wvh7-qqqx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148707?format=api", "purl": "pkg:npm/parse-server@5.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7ne4-7a82-9yfx" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-msej-ykyc-qyhp" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-v7yq-ntze-e3b1" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.3.2" } ], "aliases": [ "CVE-2022-41878", "GHSA-xprv-wvh7-qqqx", "GMS-2022-6626" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k86f-a3gq-hbbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91140?format=api", "vulnerability_id": "VCID-kpnd-nb3e-2ufx", "summary": "Parse Server exposes auth data via verify password endpoint\n### Impact\n\nThe verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.\n\n### Patches\n\nThe verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22248", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22261", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24694", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24751", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10323", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10323" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10324", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10324" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215" }, { "reference_url": "https://github.com/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wp76-gg32-8258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113159?format=api", "purl": "pkg:npm/parse-server@8.6.63", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.63" }, { "url": "http://public2.vulnerablecode.io/api/packages/113158?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7" } ], "aliases": [ "CVE-2026-34215", "GHSA-wp76-gg32-8258" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kpnd-nb3e-2ufx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50848?format=api", "vulnerability_id": "VCID-m9r5-g4pw-q7cx", "summary": "Parse Server's MFA recovery codes not consumed after use\nWhen multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts.\n\nAn attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33631", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33666", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.337", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33686", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875", "reference_id": "CVE-2026-31875", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875" }, { "reference_url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74754?format=api", "purl": "pkg:npm/parse-server@8.6.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/74753?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7" } ], "aliases": [ "CVE-2026-31875", "GHSA-4hf6-3x24-c9m8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m9r5-g4pw-q7cx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91275?format=api", "vulnerability_id": "VCID-mpu4-c9v9-wbdd", "summary": "Parse Server has a SQL injection via query field name when using PostgreSQL\n### Impact\n\nAn attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level.\n\nThis vulnerability only affects Parse Server deployments using PostgreSQL.\n\n### Patches\n\nThe fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13699", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13577", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13662", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13703", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234" }, { "reference_url": "https://github.com/advisories/GHSA-c442-97qw-j6c6", "reference_id": "GHSA-c442-97qw-j6c6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c442-97qw-j6c6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113357?format=api", "purl": "pkg:npm/parse-server@8.6.36", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.36" }, { "url": "http://public2.vulnerablecode.io/api/packages/113356?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.10" } ], "aliases": [ "CVE-2026-32234", "GHSA-c442-97qw-j6c6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mpu4-c9v9-wbdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45298?format=api", "vulnerability_id": "VCID-msej-ykyc-qyhp", "summary": "Phishing attack vulnerability by uploading malicious HTML file\nParse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 is vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.\n\nAn additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.\n\nThe fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32689", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60422", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60421", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60405", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60434", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60431", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32689" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8537", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T19:07:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/8537" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8538", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T19:07:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/8538" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32689", "reference_id": "CVE-2023-32689", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32689" }, { "reference_url": "https://github.com/advisories/GHSA-9prm-jqwx-45x9", "reference_id": "GHSA-9prm-jqwx-45x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9prm-jqwx-45x9" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9", "reference_id": "GHSA-9prm-jqwx-45x9", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-10T19:07:11Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9prm-jqwx-45x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65275?format=api", "purl": "pkg:npm/parse-server@5.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/654125?format=api", "purl": "pkg:npm/parse-server@5.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65276?format=api", "purl": "pkg:npm/parse-server@6.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/654145?format=api", "purl": "pkg:npm/parse-server@6.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.2.0" } ], "aliases": [ "CVE-2023-32689", "GHSA-9prm-jqwx-45x9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-msej-ykyc-qyhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90863?format=api", "vulnerability_id": "VCID-n19y-uwm6-3udp", "summary": "Parse Server's GraphQL WebSocket endpoint bypasses security middleware\n### Impact\n\nAny Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.\n\n### Patches\n\nThe unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types.\n\n### Workarounds\n\nBlock WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24725", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24782", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.2484", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24851", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10189", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10189" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10190", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10190" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594" }, { "reference_url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "GHSA-p2x3-8689-cwpg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112749?format=api", "purl": "pkg:npm/parse-server@8.6.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.40" }, { "url": "http://public2.vulnerablecode.io/api/packages/112747?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.14" } ], "aliases": [ "CVE-2026-32594", "GHSA-p2x3-8689-cwpg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n19y-uwm6-3udp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50774?format=api", "vulnerability_id": "VCID-n514-mj64-wkfb", "summary": "Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters\nThe Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (`clientId` for Google/Apple, `appIds` for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server.\n\n- For Google and Apple, the vulnerability is exploitable when the server does not configure `clientId`. The adapters accepted this as valid and simply skipped audience validation.\n- For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated `appIds` only for Standard Login (Graph API), but the Limited Login JWT path never passed `appIds` as the audience to JWT verification.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30863", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1039", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10475", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10514", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10496", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30863" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30863", "reference_id": "CVE-2026-30863", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30863" }, { "reference_url": "https://github.com/advisories/GHSA-x6fw-778m-wr9v", "reference_id": "GHSA-x6fw-778m-wr9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x6fw-778m-wr9v" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v", "reference_id": "GHSA-x6fw-778m-wr9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-09T16:43:47Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74571?format=api", "purl": "pkg:npm/parse-server@8.6.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/74570?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.11" } ], "aliases": [ "CVE-2026-30863", "GHSA-x6fw-778m-wr9v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n514-mj64-wkfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89106?format=api", "vulnerability_id": "VCID-n8kv-67nw-xbaw", "summary": "Parse Server has a session field immutability bypass via falsy-value guard\n### Impact\n\nAn authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.\n\n### Patches\n\nThe truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.\n\n### Workarounds\n\nThere is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10737", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10713", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12519", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12601", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10347", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10347" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10348", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10348" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574" }, { "reference_url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110139?format=api", "purl": "pkg:npm/parse-server@8.6.69", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.69" }, { "url": "http://public2.vulnerablecode.io/api/packages/110137?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14" } ], "aliases": [ "CVE-2026-34574", "GHSA-f6j3-w9v3-cq22" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n8kv-67nw-xbaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50846?format=api", "vulnerability_id": "VCID-nnat-huec-buht", "summary": "Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter\nA vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the `redirectClassNameForKey` query parameter. Exfiltrated session tokens can be used to take over user accounts.\n\nThe vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25149", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25206", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25256", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25273", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30965" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.21" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965", "reference_id": "CVE-2026-30965", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30965" }, { "reference_url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6r2j-cxgf-495f" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f", "reference_id": "GHSA-6r2j-cxgf-495f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74737?format=api", "purl": "pkg:npm/parse-server@8.6.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/74736?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8" } ], "aliases": [ "CVE-2026-30965", "GHSA-6r2j-cxgf-495f" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nnat-huec-buht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50868?format=api", "vulnerability_id": "VCID-nqnd-8hx6-5bh4", "summary": "Parse Server vulnerable to user enumeration via email verification endpoint\nThe email verification endpoint (`/verificationEmailRequest`) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application.\n\nThis is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (`verifyUserEmails: true`).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1396", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14045", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14081", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1408", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901", "reference_id": "CVE-2026-31901", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901" }, { "reference_url": "https://github.com/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w54v-hf9p-8856" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74812?format=api", "purl": "pkg:npm/parse-server@8.6.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/74811?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8" } ], "aliases": [ "CVE-2026-31901", "GHSA-w54v-hf9p-8856" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqnd-8hx6-5bh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91617?format=api", "vulnerability_id": "VCID-p1jm-h97h-vkhv", "summary": "Parse Server has a password reset token single-use bypass via concurrent requests\n### Impact\n\nThe password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead.\n\nAll Parse Server deployments that use the password reset feature are affected.\n\n### Patches\n\nThe password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01648", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01646", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01654", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10216", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10216" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10217", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10217" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943" }, { "reference_url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "GHSA-r3xq-68wh-gwvh", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113930?format=api", "purl": "pkg:npm/parse-server@8.6.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.48" }, { "url": "http://public2.vulnerablecode.io/api/packages/113929?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.28" } ], "aliases": [ "CVE-2026-32943", "GHSA-r3xq-68wh-gwvh" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1jm-h97h-vkhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50854?format=api", "vulnerability_id": "VCID-p27e-zbjb-ebbh", "summary": "Parse Server has a NoSQL injection via token type in password reset and email verification endpoints\nA NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the `token` field in the password reset and email verification resend endpoints. The `token` value is passed to database queries without type validation and can be used to extract password reset and email verification tokens.\n\nAny Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When `emailVerifyTokenReuseIfValid` is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18644", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18724", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18764", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18762", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30941" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.14" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30941", "reference_id": "CVE-2026-30941", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30941" }, { "reference_url": "https://github.com/advisories/GHSA-vgjh-hmwf-c588", "reference_id": "GHSA-vgjh-hmwf-c588", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjh-hmwf-c588" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588", "reference_id": "GHSA-vgjh-hmwf-c588", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:57:04Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74775?format=api", "purl": "pkg:npm/parse-server@8.6.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/74774?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.1" } ], "aliases": [ "CVE-2026-30941", "GHSA-vgjh-hmwf-c588" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p27e-zbjb-ebbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50732?format=api", "vulnerability_id": "VCID-p34v-j1s6-a7hn", "summary": "parse-server: Malformed `$regex` query leaks database error details in API response\nA malformed $regex query parameter (e.g. `[abc)` causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30835", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0285", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02866", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02918", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02912", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30835" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:28:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.7" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:28:44Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30835", "reference_id": "CVE-2026-30835", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30835" }, { "reference_url": "https://github.com/advisories/GHSA-9cp7-3q5w-j92g", "reference_id": "GHSA-9cp7-3q5w-j92g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9cp7-3q5w-j92g" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9cp7-3q5w-j92g", "reference_id": "GHSA-9cp7-3q5w-j92g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:28:44Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9cp7-3q5w-j92g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74518?format=api", "purl": "pkg:npm/parse-server@8.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/74517?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.6" } ], "aliases": [ "CVE-2026-30835", "GHSA-9cp7-3q5w-j92g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p34v-j1s6-a7hn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55945?format=api", "vulnerability_id": "VCID-pr98-q3e2-tydx", "summary": "Parse Server's custom object ID allows to acquire role privileges\nIf the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47183", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.5998", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.59998", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.60009", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00384", "scoring_system": "epss", "scoring_elements": "0.60006", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47183" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-04T15:24:37Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/13ee52f0d19ef3a3524b3d79aea100e587eb3cfc" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-04T15:24:37Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/1bfbccf9ee7ea77533b2b2aa7c4c69f3bd35e66f" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9317", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-04T15:24:37Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9317" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9318", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-04T15:24:37Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9318" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47183", "reference_id": "CVE-2024-47183", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47183" }, { "reference_url": "https://github.com/advisories/GHSA-8xq9-g7ch-35hg", "reference_id": "GHSA-8xq9-g7ch-35hg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8xq9-g7ch-35hg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg", "reference_id": "GHSA-8xq9-g7ch-35hg", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-04T15:24:37Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82849?format=api", "purl": "pkg:npm/parse-server@6.5.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.5.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/82850?format=api", "purl": "pkg:npm/parse-server@7.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.3.0" } ], "aliases": [ "CVE-2024-47183", "GHSA-8xq9-g7ch-35hg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pr98-q3e2-tydx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47277?format=api", "vulnerability_id": "VCID-pt5h-ubds-5bah", "summary": "Server crashes on invalid Cloud Function or Cloud Job name\nCalling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29027", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01895", "scoring_system": "epss", "scoring_elements": "0.83577", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.01895", "scoring_system": "epss", "scoring_elements": "0.83564", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01895", "scoring_system": "epss", "scoring_elements": "0.83572", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01895", "scoring_system": "epss", "scoring_elements": "0.83574", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01895", "scoring_system": "epss", "scoring_elements": "0.83576", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29027" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-20T14:37:25Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-20T14:37:25Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-20T14:37:25Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/6.5.5" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-20T14:37:25Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29027", "reference_id": "CVE-2024-29027", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29027" }, { "reference_url": "https://github.com/advisories/GHSA-6hh7-46r2-vf29", "reference_id": "GHSA-6hh7-46r2-vf29", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6hh7-46r2-vf29" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29", "reference_id": "GHSA-6hh7-46r2-vf29", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-20T14:37:25Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69459?format=api", "purl": "pkg:npm/parse-server@6.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@6.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/69460?format=api", "purl": "pkg:npm/parse-server@7.0.0-alpha.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.0.0-alpha.29" } ], "aliases": [ "CVE-2024-29027", "GHSA-6hh7-46r2-vf29" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pt5h-ubds-5bah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50843?format=api", "vulnerability_id": "VCID-pwb4-41pr-6kfs", "summary": "Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes\nThe `_GraphQLConfig` and `_Audience` internal classes can be read, modified, and deleted via the generic `/classes/_GraphQLConfig` and `/classes/_Audience` REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated `/graphql-config` and `/push_audiences` endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28118", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28161", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28203", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28253", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31800" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.25" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800", "reference_id": "CVE-2026-31800", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31800" }, { "reference_url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xg7-rqf6-pw6c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c", "reference_id": "GHSA-7xg7-rqf6-pw6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74726?format=api", "purl": "pkg:npm/parse-server@8.6.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/74725?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12" } ], "aliases": [ "CVE-2026-31800", "GHSA-7xg7-rqf6-pw6c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pwb4-41pr-6kfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50741?format=api", "vulnerability_id": "VCID-q8xg-vs4w-d7g7", "summary": "parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction\nThe `readOnlyMasterKey` can be used to create and delete files via the Files API (`POST /files/:filename`, `DELETE /files/:filename`). This bypasses the read-only restriction which violates the access scope of the `readOnlyMasterKey`.\n\nAny Parse Server deployment that uses `readOnlyMasterKey` and exposes the Files API is affected. An attacker with access to the `readOnlyMasterKey` can upload arbitrary files or delete existing files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30228", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03379", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.034", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03415", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03402", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30228" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:21Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.5" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:21Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30228", "reference_id": "CVE-2026-30228", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30228" }, { "reference_url": "https://github.com/advisories/GHSA-xfh7-phr7-gr2x", "reference_id": "GHSA-xfh7-phr7-gr2x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xfh7-phr7-gr2x" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x", "reference_id": "GHSA-xfh7-phr7-gr2x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xfh7-phr7-gr2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74527?format=api", "purl": "pkg:npm/parse-server@8.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/74526?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.3" } ], "aliases": [ "CVE-2026-30228", "GHSA-xfh7-phr7-gr2x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q8xg-vs4w-d7g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50844?format=api", "vulnerability_id": "VCID-qbz7-9nkp-xfew", "summary": "Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API\nAn unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs.\n\nAll Parse Server deployments using the REST or GraphQL API are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30946", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06519", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06561", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06571", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06572", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30946" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.15", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.15" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30946", "reference_id": "CVE-2026-30946", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30946" }, { "reference_url": "https://github.com/advisories/GHSA-cmj3-wx7h-ffvg", "reference_id": "GHSA-cmj3-wx7h-ffvg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cmj3-wx7h-ffvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg", "reference_id": "GHSA-cmj3-wx7h-ffvg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:29:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cmj3-wx7h-ffvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74727?format=api", "purl": "pkg:npm/parse-server@8.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/74728?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.2" } ], "aliases": [ "CVE-2026-30946", "GHSA-cmj3-wx7h-ffvg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qbz7-9nkp-xfew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50850?format=api", "vulnerability_id": "VCID-qupn-1ytd-tkae", "summary": "Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction\nThe LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (`authData.id`) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group.\n\nThe vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37183", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37222", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37254", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828", "reference_id": "CVE-2026-31828", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828" }, { "reference_url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74763?format=api", "purl": "pkg:npm/parse-server@8.6.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/74762?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13" } ], "aliases": [ "CVE-2026-31828", "GHSA-7m6r-fhh7-r47c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qupn-1ytd-tkae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50815?format=api", "vulnerability_id": "VCID-r432-uepe-vuah", "summary": "Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution\nAn unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process.\n\nOther prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal.\n\nAll Parse Server deployments that expose the Cloud Function endpoint are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.396", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39629", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39656", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39652", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30939" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.13" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939", "reference_id": "CVE-2026-30939", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30939" }, { "reference_url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5j86-7r7m-p8h6" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6", "reference_id": "GHSA-5j86-7r7m-p8h6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74655?format=api", "purl": "pkg:npm/parse-server@8.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/74656?format=api", "purl": "pkg:npm/parse-server@9.5.1-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2" } ], "aliases": [ "CVE-2026-30939", "GHSA-5j86-7r7m-p8h6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r432-uepe-vuah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89265?format=api", "vulnerability_id": "VCID-r9jq-4te8-xkfb", "summary": "Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value\n### Impact\n\nAn authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.\n\n### Patches\n\nThe fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10737", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10713", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12519", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12601", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10350", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10350" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10351", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10351" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595" }, { "reference_url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110307?format=api", "purl": "pkg:npm/parse-server@8.6.70", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.70" }, { "url": "http://public2.vulnerablecode.io/api/packages/110306?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16" } ], "aliases": [ "CVE-2026-34595", "GHSA-mmg8-87c5-jrc2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r9jq-4te8-xkfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89092?format=api", "vulnerability_id": "VCID-sd7z-5aa7-f7aw", "summary": "Parse Server has a login timing side-channel reveals user existence\n### Impact\n\nThe login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.\n\n### Patches\n\nA dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.\n\n### Workarounds\n\nConfigure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08988", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08939", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08985", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09005", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10398", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10398" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10399", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10399" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321" }, { "reference_url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110119?format=api", "purl": "pkg:npm/parse-server@8.6.74", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.74" }, { "url": "http://public2.vulnerablecode.io/api/packages/110118?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6" } ], "aliases": [ "CVE-2026-39321", "GHSA-mmpq-5hcv-hf2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sd7z-5aa7-f7aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50768?format=api", "vulnerability_id": "VCID-shyz-tw66-b3gv", "summary": "Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization\nThe file metadata endpoint (GET `/files/:appId/metadata/:filename`) does not enforce `beforeFind` / `afterFind` file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata.\n\nThis affects any deployment that relies on `Parse.Cloud.beforeFind(Parse.File, ...)` to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30850", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06108", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06154", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06159", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06171", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30850" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30850", "reference_id": "CVE-2026-30850", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30850" }, { "reference_url": "https://github.com/advisories/GHSA-hwx8-q9cg-mqmc", "reference_id": "GHSA-hwx8-q9cg-mqmc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hwx8-q9cg-mqmc" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc", "reference_id": "GHSA-hwx8-q9cg-mqmc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:46Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74559?format=api", "purl": "pkg:npm/parse-server@8.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/74560?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.9" } ], "aliases": [ "CVE-2026-30850", "GHSA-hwx8-q9cg-mqmc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-shyz-tw66-b3gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91876?format=api", "vulnerability_id": "VCID-twrs-rk3t-f3gf", "summary": "Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries\n### Impact\n\nAn attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist.\n\nThis can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage.\n\n### Patches\n\nThe fix strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers.\n\nNote that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future.\n\n### Workarounds\n\nConfigure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02825", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02841", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02894", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02886", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10191", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10191" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10192", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10192" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728" }, { "reference_url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "GHSA-42ph-pf9q-cr72", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114363?format=api", "purl": "pkg:npm/parse-server@8.6.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.41" }, { "url": "http://public2.vulnerablecode.io/api/packages/114360?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.15" } ], "aliases": [ "CVE-2026-32728", "GHSA-42ph-pf9q-cr72" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-twrs-rk3t-f3gf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90937?format=api", "vulnerability_id": "VCID-v5t3-r3mz-13gc", "summary": "Parse Server's Session Update endpoint allows overwriting server-generated session fields\n### Impact\n\nAn authenticated user can overwrite server-generated session fields such as `expiresAt` and `createdWith` when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent.\n\n### Patches\n\nThe fix blocks authenticated users from setting `expiresAt` and `createdWith` fields when updating a session. Master key and maintenance key operations are not affected.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02655", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02585", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02601", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02652", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10263", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10264", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10264" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527" }, { "reference_url": "https://github.com/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc39-686j-wp6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112904?format=api", "purl": "pkg:npm/parse-server@8.6.57", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.57" }, { "url": "http://public2.vulnerablecode.io/api/packages/112903?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48" } ], "aliases": [ "CVE-2026-33527", "GHSA-jc39-686j-wp6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v5t3-r3mz-13gc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110314?format=api", "vulnerability_id": "VCID-v7yq-ntze-e3b1", "summary": "Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks\n### Impact\n\nA compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nNone.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.64568", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.64619", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.6461", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.64616", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.64597", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00462", "scoring_system": "epss", "scoring_elements": "0.64608", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41879" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8305", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8305" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/8306", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/8306" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/4.10.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.20" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/5.3.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/5.3.3" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:46:47Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41879", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41879" }, { "reference_url": "https://github.com/advisories/GHSA-93vw-8fm5-p2jf", "reference_id": "GHSA-93vw-8fm5-p2jf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93vw-8fm5-p2jf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148913?format=api", "purl": "pkg:npm/parse-server@5.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-2h23-n9we-rbdj" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7ne4-7a82-9yfx" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-avfq-2nfn-fkdw" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-bgdt-2pkg-rbaj" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-d13k-gc2w-7yc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gkng-gbtu-hkc1" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-msej-ykyc-qyhp" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pr98-q3e2-tydx" }, { "vulnerability": "VCID-pt5h-ubds-5bah" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-z7cb-6ruj-4bf2" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.3.3" } ], "aliases": [ "CVE-2022-41879", "GHSA-93vw-8fm5-p2jf", "GMS-2022-6745" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v7yq-ntze-e3b1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90067?format=api", "vulnerability_id": "VCID-w48t-hex5-qkcs", "summary": "Parser Server's streaming file download bypasses afterFind file trigger authorization\n### Impact\n\nFile downloads via HTTP Range requests bypass the `afterFind(Parse.File)` trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by `afterFind` trigger authorization logic or built-in validators such as `requireUser`.\n\n### Patches\n\nThe streaming file download path now executes the `afterFind(Parse.File)` trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.\n\n### Workarounds\n\nUse `beforeFind(Parse.File)` instead of `afterFind(Parse.File)` for file access authorization. The `beforeFind` trigger runs on all download paths including streaming.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03909", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03937", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03624", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03611", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10361", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10361" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10362", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10362" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784" }, { "reference_url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111315?format=api", "purl": "pkg:npm/parse-server@8.6.71", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.71" }, { "url": "http://public2.vulnerablecode.io/api/packages/111314?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1" } ], "aliases": [ "CVE-2026-34784", "GHSA-hpm8-9qx6-jvwv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w48t-hex5-qkcs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50739?format=api", "vulnerability_id": "VCID-w51h-8rx9-5yaw", "summary": "parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user\nThe `readOnlyMasterKey` can call `POST /loginAs` to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses `readOnlyMasterKey` is affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07145", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07188", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07202", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30229" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.6" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30229", "reference_id": "CVE-2026-30229", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30229" }, { "reference_url": "https://github.com/advisories/GHSA-79wj-8rqv-jvp5", "reference_id": "GHSA-79wj-8rqv-jvp5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79wj-8rqv-jvp5" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5", "reference_id": "GHSA-79wj-8rqv-jvp5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:29:01Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-79wj-8rqv-jvp5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74524?format=api", "purl": "pkg:npm/parse-server@8.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/74525?format=api", "purl": "pkg:npm/parse-server@9.5.0-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fdvb-gy4j-6qcn" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.4" } ], "aliases": [ "CVE-2026-30229", "GHSA-79wj-8rqv-jvp5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w51h-8rx9-5yaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50869?format=api", "vulnerability_id": "VCID-wazt-mb6n-dudq", "summary": "Parse Server has a protected fields bypass via logical query operators\nThe validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values.\n\nAll Parse Server deployments have default protected fields and are vulnerable.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30962", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14471", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14555", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14595", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14592", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30962" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.19" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30962", "reference_id": "CVE-2026-30962", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30962" }, { "reference_url": "https://github.com/advisories/GHSA-72hp-qff8-4pvv", "reference_id": "GHSA-72hp-qff8-4pvv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72hp-qff8-4pvv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qff8-4pvv", "reference_id": "GHSA-72hp-qff8-4pvv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:28:30Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qff8-4pvv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74819?format=api", "purl": "pkg:npm/parse-server@8.6.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/74818?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.6" } ], "aliases": [ "CVE-2026-30962", "GHSA-72hp-qff8-4pvv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wazt-mb6n-dudq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50909?format=api", "vulnerability_id": "VCID-wh63-a1pu-c3g2", "summary": "Parse Server: Account takeover via operator injection in authentication data identifier\nAn unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27386", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27246", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27296", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27336", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248", "reference_id": "CVE-2026-32248", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248" }, { "reference_url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74866?format=api", "purl": "pkg:npm/parse-server@8.6.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/74865?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.12" } ], "aliases": [ "CVE-2026-32248", "GHSA-5fw2-8jcv-xh87" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wh63-a1pu-c3g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48370?format=api", "vulnerability_id": "VCID-wu9b-cdwh-mka2", "summary": "Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details\nThe MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes:\n\n- Database schema structure and field names\n- Index configurations and query optimization details\n- Query execution statistics and performance metrics\n- Potential attack vectors for database performance exploitation", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64502", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2704", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30271", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30303", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30332", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64502" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9890", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9890" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64502", "reference_id": "CVE-2025-64502", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64502" }, { "reference_url": "https://github.com/advisories/GHSA-7cx5-254x-cgrq", "reference_id": "GHSA-7cx5-254x-cgrq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cx5-254x-cgrq" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq", "reference_id": "GHSA-7cx5-254x-cgrq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-12T17:36:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7cx5-254x-cgrq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71397?format=api", "purl": "pkg:npm/parse-server@8.5.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.5.0-alpha.5" } ], "aliases": [ "CVE-2025-64502", "GHSA-7cx5-254x-cgrq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wu9b-cdwh-mka2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90890?format=api", "vulnerability_id": "VCID-ww53-ctcz-r7bp", "summary": "Parse Server crash via deeply nested query condition operators\n### Impact\n\nAn unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.\n\n### Patches\n\nA depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05612", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05558", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05599", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05597", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10202", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10202" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10203", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10203" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944" }, { "reference_url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "GHSA-9xp9-j92r-p88v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112786?format=api", "purl": "pkg:npm/parse-server@8.6.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.45" }, { "url": "http://public2.vulnerablecode.io/api/packages/112784?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.21" } ], "aliases": [ "CVE-2026-32944", "GHSA-9xp9-j92r-p88v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ww53-ctcz-r7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91753?format=api", "vulnerability_id": "VCID-xpuh-u9nt-m7dt", "summary": "Parse Server has a protected field change detection oracle via LiveQuery watch parameter\n### Impact\n\nAn attacker can subscribe to LiveQuery with a `watch` parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.\n\n### Patches\n\nThe `watch` parameter is now validated against protected fields at subscription time, mirroring the existing validation for the `where` clause. Subscriptions that include protected fields in `watch` are rejected with a permission error. Master key connections are exempt.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03033", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03092", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03051", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03102", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10253", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10253" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10254", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10254" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429" }, { "reference_url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114088?format=api", "purl": "pkg:npm/parse-server@8.6.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.54" }, { "url": "http://public2.vulnerablecode.io/api/packages/74558?format=api", "purl": "pkg:npm/parse-server@9.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-shyz-tw66-b3gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/114087?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43" } ], "aliases": [ "CVE-2026-33429", "GHSA-qpc3-fg4j-8hgm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpuh-u9nt-m7dt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56959?format=api", "vulnerability_id": "VCID-z7cb-6ruj-4bf2", "summary": "Parse Server has an OAuth login vulnerability\nThe 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30168", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00195", "scoring_system": "epss", "scoring_elements": "0.41257", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00195", "scoring_system": "epss", "scoring_elements": "0.41246", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00195", "scoring_system": "epss", "scoring_elements": "0.41277", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00195", "scoring_system": "epss", "scoring_elements": "0.41308", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00195", "scoring_system": "epss", "scoring_elements": "0.41304", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30168" }, { "reference_url": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2ff9c71030bce3aada0a00fbceedeb7ae2c8a41e" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5ef0440c8e763854e62341acaeb6dc4ade3ba82f" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9667", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9667" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/9668", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/9668" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30168", "reference_id": "CVE-2025-30168", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30168" }, { "reference_url": "https://github.com/advisories/GHSA-837q-jhwx-cmpv", "reference_id": "GHSA-837q-jhwx-cmpv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-837q-jhwx-cmpv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv", "reference_id": "GHSA-837q-jhwx-cmpv", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-21T15:12:30Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84560?format=api", "purl": "pkg:npm/parse-server@7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/811427?format=api", "purl": "pkg:npm/parse-server@8.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/84561?format=api", "purl": "pkg:npm/parse-server@8.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-4geq-pnnp-3fd8" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5cyt-1hbn-pkgb" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-5web-hc9c-kbhe" }, { "vulnerability": "VCID-67gc-6w6e-rkcg" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-6f3m-zdr1-sqf7" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-7xk3-yn6w-nfd1" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8d4r-sv2m-hqhe" }, { "vulnerability": "VCID-8gsh-j1b9-3bew" }, { "vulnerability": "VCID-8xmh-99mq-ybbf" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9fqm-a5xk-j7d5" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-au5b-pexg-tubt" }, { "vulnerability": "VCID-b3ks-95ke-m7dz" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-caaw-qhvr-nqaz" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-dazy-p9qb-7qgk" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jnuv-zhzb-nygr" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n514-mj64-wkfb" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nnat-huec-buht" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-p27e-zbjb-ebbh" }, { "vulnerability": "VCID-p34v-j1s6-a7hn" }, { "vulnerability": "VCID-pwb4-41pr-6kfs" }, { "vulnerability": "VCID-q8xg-vs4w-d7g7" }, { "vulnerability": "VCID-qbz7-9nkp-xfew" }, { "vulnerability": "VCID-qupn-1ytd-tkae" }, { "vulnerability": "VCID-r432-uepe-vuah" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-shyz-tw66-b3gv" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-w51h-8rx9-5yaw" }, { "vulnerability": "VCID-wazt-mb6n-dudq" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-wu9b-cdwh-mka2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.0.2" } ], "aliases": [ "CVE-2025-30168", "GHSA-837q-jhwx-cmpv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z7cb-6ruj-4bf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91083?format=api", "vulnerability_id": "VCID-ze79-p1vg-47fx", "summary": "parse-server has GraphQL complexity validator exponential fragment traversal DoS\n### Impact\n\nThe GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options.\n\n### Patches\n\nThe fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded.\n\n### Workarounds\n\nDisable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default).\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04954", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0494", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05247", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05287", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10344", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10344" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10345", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10345" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573" }, { "reference_url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113107?format=api", "purl": "pkg:npm/parse-server@8.6.68", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.68" }, { "url": "http://public2.vulnerablecode.io/api/packages/113106?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12" } ], "aliases": [ "CVE-2026-34573", "GHSA-mfj6-6p54-m98c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ze79-p1vg-47fx" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@5.3.0-alpha.16" }