Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74762?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74762?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.13", "type": "npm", "namespace": "", "name": "parse-server", "version": "9.5.2-alpha.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.9.0-alpha.2", "latest_non_vulnerable_version": "9.9.1-alpha.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50835?format=api", "vulnerability_id": "VCID-1j65-rdzh-6bc3", "summary": "Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL\nA SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs.\n\nOnly Postgres deployments are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13198", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13276", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13317", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13313", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31871" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.31" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871", "reference_id": "CVE-2026-31871", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31871" }, { "reference_url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqpp-xgvh-9h7h" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h", "reference_id": "GHSA-gqpp-xgvh-9h7h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74708?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5" } ], "aliases": [ "CVE-2026-31871", "GHSA-gqpp-xgvh-9h7h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1j65-rdzh-6bc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50871?format=api", "vulnerability_id": "VCID-3pbu-nwcc-hydn", "summary": "Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types\nAn attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server `fileUpload.fileExtensions` option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users.\n\nAffected file extensions and content types include `.svgz`, `.xht`, `.xml`, `.xsl`, `.xslt`, and content types `application/xhtml+xml` and `application/xslt+xml` for extensionless uploads. Uploading of `.html`, `.htm`, `.shtml`, `.xhtml`, and `.svg` files was already blocked.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19928", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19994", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20032", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20038", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31868" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.30" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868", "reference_id": "CVE-2026-31868", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31868" }, { "reference_url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v5hf-f4c3-m5rv" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv", "reference_id": "GHSA-v5hf-f4c3-m5rv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74827?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4" } ], "aliases": [ "CVE-2026-31868", "GHSA-v5hf-f4c3-m5rv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3pbu-nwcc-hydn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50878?format=api", "vulnerability_id": "VCID-51jb-xry5-5qc2", "summary": "Parse Server has a protected fields bypass via dot-notation in query and sort\nThe `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values.\n\nThis affects both MongoDB and PostgreSQL deployments.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15452", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15535", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15575", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00049", "scoring_system": "epss", "scoring_elements": "0.15585", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31872" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.32" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872", "reference_id": "CVE-2026-31872", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31872" }, { "reference_url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2m8-pxm9-9c4g" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g", "reference_id": "GHSA-r2m8-pxm9-9c4g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74839?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6" } ], "aliases": [ "CVE-2026-31872", "GHSA-r2m8-pxm9-9c4g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-51jb-xry5-5qc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90901?format=api", "vulnerability_id": "VCID-5j87-2q5c-cqdf", "summary": "GraphQL API endpoint ignores CORS origin restriction\n### Impact\n\nThe GraphQL API endpoint does not respect the `allowOrigin` server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured `allowOrigin` restriction.\n\n### Patches\n\nThe GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the `allowOrigin` and `allowHeaders` server options are consistently enforced across all endpoints.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05178", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05191", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06185", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06231", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34373" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0347641507891d0013ec57f7c10f012064f41263" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10334", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10334" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10335", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10335" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34373" }, { "reference_url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c", "reference_id": "GHSA-q3p6-g7c4-829c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3p6-g7c4-829c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112824?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.10" } ], "aliases": [ "CVE-2026-34373", "GHSA-q3p6-g7c4-829c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5j87-2q5c-cqdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91315?format=api", "vulnerability_id": "VCID-5tkj-suz2-hyf2", "summary": "Parse Server affected by empty authData bypassing credential requirement on signup\n### Impact\n\nA user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled.\n\n### Patches\n\nThe fix ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present.\n\n### Workarounds\n\nUse a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02007", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.01991", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02004", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02015", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33042" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10219", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10219" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10220", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10220" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:06Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33042" }, { "reference_url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v", "reference_id": "GHSA-wjqw-r9x4-j59v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wjqw-r9x4-j59v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113422?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.29" } ], "aliases": [ "CVE-2026-33042", "GHSA-wjqw-r9x4-j59v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tkj-suz2-hyf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50903?format=api", "vulnerability_id": "VCID-5tn5-f5x6-afbh", "summary": "Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause\nAn attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16526", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.164", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16481", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16523", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32098" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.35" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098", "reference_id": "CVE-2026-32098", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32098" }, { "reference_url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j7mm-f4rv-6q6q" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q", "reference_id": "GHSA-j7mm-f4rv-6q6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:46Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74860?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.9" } ], "aliases": [ "CVE-2026-32098", "GHSA-j7mm-f4rv-6q6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tn5-f5x6-afbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90996?format=api", "vulnerability_id": "VCID-6bmy-ymay-zfdm", "summary": "Parse Server vulnerable to schema poisoning via prototype pollution in deep copy\n### Impact\n\nAn attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key.\n\n### Patches\n\nThe vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword.\n\n### Workarounds\n\nNone.\n\n### Vulnerability Independence\n\nThis vulnerability is not caused by or dependent on a vulnerability in a third-party dependency.\n\nThe third-party `deepcopy` library that was replaced in the fix has no known CVE or security advisory regarding this. The library functions as designed. It is not vulnerable.\n\nThe vulnerability is in parse-server's own request processing logic. Parse-server's security-critical keyword denylist check runs after the deep copy step in the request pipeline. The deep copy step strips `__proto__` properties as a normal part of its cloning behavior, which means the denylist check never sees the prohibited key. This allows an attacker to bypass both the denylist protection and class-level permissions for adding fields, resulting in schema poisoning.\n\nThe root cause is parse-server's reliance on a cloning mechanism that alters the shape of the data before the security check can inspect it. This is a logic flaw in parse-server's security pipeline, not a vulnerability in a dependency. Replacing the cloning mechanism was the fix for parse-server's own bug.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0361", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03592", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03616", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03624", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32878" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10200", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10200" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10201", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10201" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:13:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32878" }, { "reference_url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf", "reference_id": "GHSA-9ccr-fpp6-78qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ccr-fpp6-78qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112994?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.20" } ], "aliases": [ "CVE-2026-32878", "GHSA-9ccr-fpp6-78qf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bmy-ymay-zfdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50852?format=api", "vulnerability_id": "VCID-7spb-rcbx-w7gn", "summary": "Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL\nA SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The `amount` value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs.\n\nMongoDB deployments are not affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13198", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13276", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13317", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13313", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31856" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.29" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856", "reference_id": "CVE-2026-31856", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856" }, { "reference_url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3vj-96h2-gwvg" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg", "reference_id": "GHSA-q3vj-96h2-gwvg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74770?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3" } ], "aliases": [ "CVE-2026-31856", "GHSA-q3vj-96h2-gwvg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7spb-rcbx-w7gn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90956?format=api", "vulnerability_id": "VCID-82fj-6jd2-hqc1", "summary": "LiveQuery protected field leak via shared mutable state across concurrent subscribers\n### Impact\n\nWhen multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object.\n\nAdditionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state.\n\nAny Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class.\n\n### Patches\n\nThe fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter.\n\n### Workarounds\n\nThere is no known workaround.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06809", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0681", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06847", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06813", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34363" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10330", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10330" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10331", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10331" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:22Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34363" }, { "reference_url": "https://github.com/advisories/GHSA-m983-v2ff-wq65", "reference_id": "GHSA-m983-v2ff-wq65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m983-v2ff-wq65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112925?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.9" } ], "aliases": [ "CVE-2026-34363", "GHSA-m983-v2ff-wq65" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-82fj-6jd2-hqc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50803?format=api", "vulnerability_id": "VCID-8zde-nj53-ebhu", "summary": "Parse Server: SQL injection via dot-notation field name in PostgreSQL\nAn attacker can use a dot-notation field name in combination with the `sort` query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the `distinct` and `where` query parameters.\n\nThis vulnerability only affects deployments using a PostgreSQL database.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22069", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22124", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22173", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22186", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31840" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.28" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840", "reference_id": "CVE-2026-31840", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840" }, { "reference_url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpr4-jrj4-6f27" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27", "reference_id": "GHSA-qpr4-jrj4-6f27", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T17:37:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74623?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.2" } ], "aliases": [ "CVE-2026-31840", "GHSA-qpr4-jrj4-6f27" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8zde-nj53-ebhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50923?format=api", "vulnerability_id": "VCID-9kyv-xmvr-nfgf", "summary": "Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance\nParse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy.\n\nDeployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20637", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20513", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20582", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20625", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32242" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.37" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242", "reference_id": "CVE-2026-32242", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32242" }, { "reference_url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cjm-2gwv-m892" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892", "reference_id": "GHSA-2cjm-2gwv-m892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:20:03Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74884?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.11" } ], "aliases": [ "CVE-2026-32242", "GHSA-2cjm-2gwv-m892" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9kyv-xmvr-nfgf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91211?format=api", "vulnerability_id": "VCID-agc3-jfsf-kbhh", "summary": "Parse Server has an auth provider validation bypass on login via partial authData\n### Impact\n\nAn authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token.\n\nThis affects Parse Server deployments where the server option `allowExpiredAuthDataToken` is set to `true`. The default value is `false`.\n\n### Patches\n\nAuth providers are now always validated on login, regardless of the `allowExpiredAuthDataToken` setting. The option `allowExpiredAuthDataToken` has been deprecated and will be removed in a future major version.\n\n### Workarounds\n\nSet `allowExpiredAuthDataToken` to `false` (the default) or remove the option from the server configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08515", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0844", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08494", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08497", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33409" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/8d7df5639c4a35768fe8b78b4580b30e8a74721c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/98f4ba5bcf2c199bfe6225f672e8edcd08ba732d" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10246", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10246" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10247", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10247" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T13:39:16Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-pfj7-wv7c-22pr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33409" }, { "reference_url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr", "reference_id": "GHSA-pfj7-wv7c-22pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pfj7-wv7c-22pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113244?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.41" } ], "aliases": [ "CVE-2026-33409", "GHSA-pfj7-wv7c-22pr" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-agc3-jfsf-kbhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91292?format=api", "vulnerability_id": "VCID-c1nt-b6by-m7hu", "summary": "Parse Server exposes auth data via /users/me endpoint\n### Impact\n\nAn authenticated user calling `GET /users/me` receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely.\n\n### Patches\n\nThe `/users/me` endpoint now queries the session and user data separately, using the caller's authentication context for the user query so that all security layers apply correctly.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11932", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12006", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12044", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12048", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33627" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:38:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627" }, { "reference_url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96", "reference_id": "GHSA-37mj-c2wf-cx96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37mj-c2wf-cx96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113375?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.55", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.55" } ], "aliases": [ "CVE-2026-33627", "GHSA-37mj-c2wf-cx96" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1nt-b6by-m7hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91263?format=api", "vulnerability_id": "VCID-crd1-u2dd-6yh2", "summary": "Parse Server: Denial of Service via unindexed database query for unconfigured auth providers\n### Impact\n\nAn unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.\n\n### Patches\n\nThe fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34147", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34097", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34131", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34163", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33538" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/40eb442e02672986730007d0a1edb22c1c4bd357" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbac847499e57f243315c5fc7135be1d58bb8e54" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10270", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10270" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10271", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10271" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:37:14Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33538" }, { "reference_url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr", "reference_id": "GHSA-g4cf-xj29-wqqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4cf-xj29-wqqr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113342?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.52" } ], "aliases": [ "CVE-2026-33538", "GHSA-g4cf-xj29-wqqr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-crd1-u2dd-6yh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91861?format=api", "vulnerability_id": "VCID-cuaf-2g3g-tuap", "summary": "Parse Server's LiveQuery bypasses CLP pointer permission enforcement\n### Impact\n\nParse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (`readUserFields` and `pointerFields`). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API.\n\n### Patches\n\nThe LiveQuery server now enforces pointer permissions on each event. After the existing check passes (which defers pointer permissions by design), the fix checks whether any configured pointer field on the object points to the subscribing user. Events for objects that don't match are silently skipped, consistent with how ACL mismatches are handled.\n\n### Workarounds\n\nUse ACLs on individual objects to restrict read access instead of relying solely on CLP pointer permissions. ACLs are enforced by LiveQuery.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01794", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01784", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01799", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01793", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33421" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/6c3317aca6eb618ac48f999021ae3ef7766ad1ea" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/976dad109f3fe3fbd0a3a35ef62e7a5d35eb0bee" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10250", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10250" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10252", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10252" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:18:10Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33421" }, { "reference_url": "https://github.com/advisories/GHSA-fph2-r4qg-9576", "reference_id": "GHSA-fph2-r4qg-9576", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fph2-r4qg-9576" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114353?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.42" } ], "aliases": [ "CVE-2026-33421", "GHSA-fph2-r4qg-9576" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cuaf-2g3g-tuap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91082?format=api", "vulnerability_id": "VCID-cuct-x9ub-1bd9", "summary": "Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter\n### Impact\n\nAn attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.\n\nOnly Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.\n\n### Patches\n\nField names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter.\n\n### Workarounds\n\nNo workaround. Upgrade to a patched version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07071", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07116", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07129", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07123", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33539" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/03249f9bf5b8783c8b848f84dab791ff0b761b8c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/bdddab5f8b61a40cb8fc62dd895887bdd2f3838e" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10272", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10272" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10273", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10273" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-26T19:33:11Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33539" }, { "reference_url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3", "reference_id": "GHSA-p2w6-rmh7-w8q3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2w6-rmh7-w8q3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113103?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.53", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.53" } ], "aliases": [ "CVE-2026-33539", "GHSA-p2w6-rmh7-w8q3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cuct-x9ub-1bd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90016?format=api", "vulnerability_id": "VCID-davb-xyy3-2qf1", "summary": "Parse Server: File upload Content-Type override via extension mismatch\n### Impact\n\nA file can be uploaded with a filename extension that passes the file extension allowlist (e.g., `.txt`) but with a `Content-Type` header that differs from the extension (e.g., `text/html`). The `Content-Type` is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time.\n\n### Patches\n\nThe file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension.\n\n### Workarounds\n\nConfigure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09853", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09937", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09965", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0995", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35200" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10383", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10383" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10384", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10384" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35200" }, { "reference_url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc", "reference_id": "GHSA-vr5f-2r24-w5hc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr5f-2r24-w5hc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111280?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.4" } ], "aliases": [ "CVE-2026-35200", "GHSA-vr5f-2r24-w5hc" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-davb-xyy3-2qf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91830?format=api", "vulnerability_id": "VCID-eh2m-7t9f-tqdm", "summary": "Parse Server leaks protected fields via LiveQuery afterEvent trigger\n### Impact\n\nWhen a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave).\n\nAny user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers.\n\n### Patches\n\nThe vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients.\n\n### Workarounds\n\nRemove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11607", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11488", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11569", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11603", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33163" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10232", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10232" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10233", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10233" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:00:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5hmj-jcgp-6hff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33163" }, { "reference_url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff", "reference_id": "GHSA-5hmj-jcgp-6hff", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5hmj-jcgp-6hff" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114262?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.35" } ], "aliases": [ "CVE-2026-33163", "GHSA-5hmj-jcgp-6hff" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eh2m-7t9f-tqdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91182?format=api", "vulnerability_id": "VCID-f6mm-th5w-fug4", "summary": "parse-server has cloud function validator bypass via prototype chain traversal\n### Impact\n\nAn attacker can bypass Cloud Function validator access controls by appending `.prototype.constructor` to the function name in the URL. When a Cloud Function handler is declared using the `function` keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.\n\nThis allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as `requireUser`, `requireMaster`, or custom validation logic.\n\n### Patches\n\nThe trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.\n\n### Workarounds\n\nUse arrow functions instead of the `function` keyword for Cloud Function handlers. Arrow functions do not have a `prototype` property and are not affected by this vulnerability.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12939", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12936", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13539", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13626", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34532" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10342", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10342" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10343", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10343" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:21:00Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532" }, { "reference_url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6", "reference_id": "GHSA-vpj2-qq7w-5qq6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpj2-qq7w-5qq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113209?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.11" } ], "aliases": [ "CVE-2026-34532", "GHSA-vpj2-qq7w-5qq6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6mm-th5w-fug4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91285?format=api", "vulnerability_id": "VCID-faws-rh1j-tba1", "summary": "Parse Server's Cloud function dispatch crashes server via prototype chain traversal\n### Impact\n\nRemote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.\n\n### Patches\n\nThe fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09562", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09502", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09582", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32886" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10210", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10210" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10211", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10211" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:18:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886" }, { "reference_url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4", "reference_id": "GHSA-4263-jgmp-7pf4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4263-jgmp-7pf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113373?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.24" } ], "aliases": [ "CVE-2026-32886", "GHSA-4263-jgmp-7pf4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-faws-rh1j-tba1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91025?format=api", "vulnerability_id": "VCID-fnb8-edpu-e3e3", "summary": "Parse Server LiveQuery subscription query depth bypass\n### Impact\n\nParse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability.\n\nDeployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients.\n\n### Patches\n\nThe fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20459", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20391", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20499", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20511", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33508" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/060d27053fb0fadf613c25aabab7fe0c82b7a899" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2126fe4e12f9b399dc6b4b6a3fa70cb1825f159b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10259", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10259" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10260", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10260" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:57:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6qh5-m6g3-xhq6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33508" }, { "reference_url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6", "reference_id": "GHSA-6qh5-m6g3-xhq6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qh5-m6g3-xhq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113029?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.45" } ], "aliases": [ "CVE-2026-33508", "GHSA-6qh5-m6g3-xhq6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fnb8-edpu-e3e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91404?format=api", "vulnerability_id": "VCID-g9mj-kud1-d7a3", "summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server\n### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13299", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13185", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13263", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13303", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32770" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10197", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10197" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10199", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10199" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T14:21:43Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770" }, { "reference_url": "https://github.com/advisories/GHSA-827p-g5x5-h86c", "reference_id": "GHSA-827p-g5x5-h86c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-827p-g5x5-h86c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113567?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.19" } ], "aliases": [ "CVE-2026-32770", "GHSA-827p-g5x5-h86c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9mj-kud1-d7a3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91458?format=api", "vulnerability_id": "VCID-gzbr-zm1b-nkfc", "summary": "Parse Server has a query condition depth bypass via pre-validation transform pipeline\n### Impact\n\nAn attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.\n\n### Patches\n\nThe query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06017", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06079", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06064", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06067", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33498" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10257", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10257" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10258", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10258" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:32:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498" }, { "reference_url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j", "reference_id": "GHSA-9fjp-q3c4-6w3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9fjp-q3c4-6w3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113704?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.44" } ], "aliases": [ "CVE-2026-33498", "GHSA-9fjp-q3c4-6w3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzbr-zm1b-nkfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91824?format=api", "vulnerability_id": "VCID-h8hu-n8dv-ybhy", "summary": "Parse Server session creation endpoint allows overwriting server-generated session fields\n### Impact\n\nAn authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.\n\n### Patches\n\nThe session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.\n\n### Workarounds\n\nAdd a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05951", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05898", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05942", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05943", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32742" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10195", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10195" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10196", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10196" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:10:52Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32742" }, { "reference_url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg", "reference_id": "GHSA-5v7g-9h8f-8pgg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v7g-9h8f-8pgg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114231?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.17" } ], "aliases": [ "CVE-2026-32742", "GHSA-5v7g-9h8f-8pgg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8hu-n8dv-ybhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91095?format=api", "vulnerability_id": "VCID-h8ut-tkq6-r7e2", "summary": "Parse Server has an MFA single-use token bypass via concurrent authData login requests\n### Impact\n\nAn attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions.\n\n### Patches\n\nThe fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04623", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0466", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05506", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05523", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34224" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/661f160edac8daac0486bc94413cf9652876ab92" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10326", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10326" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10327", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10327" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:15:54Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34224" }, { "reference_url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf", "reference_id": "GHSA-w73w-g5xw-rwhf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w73w-g5xw-rwhf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113116?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.8" } ], "aliases": [ "CVE-2026-34224", "GHSA-w73w-g5xw-rwhf" ], "risk_score": 2.0, "exploitability": "0.5", "weighted_severity": "4.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8ut-tkq6-r7e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91687?format=api", "vulnerability_id": "VCID-j6q8-5bxf-7fcf", "summary": "Parse Server email verification resend page leaks user existence\n### Impact\n\nThe Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route against this, did not apply to these routes.\n\n### Patches\n\nThe email verification resend routes now respect the `emailVerifySuccessOnInvalidEmail` option. When set to `true` (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration.\n\n### Workarounds\n\nThere is no known workaround to prevent the information disclosure other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16109", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16023", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16154", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16164", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33323" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/967aa57732202009b2389ce9ecb3130d53d657e5" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fbda4cb0c5cbc8fad08a216823b6b64d4ae289c3" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10238", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10238" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10243", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10243" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:56:28Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-h29g-q5c2-9h4f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33323" }, { "reference_url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f", "reference_id": "GHSA-h29g-q5c2-9h4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h29g-q5c2-9h4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113978?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.40" } ], "aliases": [ "CVE-2026-33323", "GHSA-h29g-q5c2-9h4f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6q8-5bxf-7fcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91633?format=api", "vulnerability_id": "VCID-j9vu-d52s-ekgq", "summary": "Parse Server: MFA recovery code single-use bypass via concurrent requests\n### Impact\n\nAn attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds.\n\n### Patches\n\nThe login handler now uses optimistic locking when updating auth data that contains consumed single-use tokens. If a concurrent request has already modified the recovery array, the update fails and the login is rejected.\n\n### Workarounds\n\nThere are no known workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09798", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09882", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09909", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09895", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33624" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/5e70094250a36bfcc14ecd49592be2b94fba66ff" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/fc3da35a81d5083b453e8967cabcc880f1a3bd0c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10275", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10275" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10276", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10276" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:58:24Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33624" }, { "reference_url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp", "reference_id": "GHSA-2299-ghjr-6vjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2299-ghjr-6vjp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113939?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.54", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.54" } ], "aliases": [ "CVE-2026-33624", "GHSA-2299-ghjr-6vjp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j9vu-d52s-ekgq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92106?format=api", "vulnerability_id": "VCID-jsgf-t1ga-x7eq", "summary": "parse-server: MFA SMS one-time password accepted twice under concurrent login\n### Impact\n\nA race condition in the MFA SMS one-time password (OTP) login path allows two concurrent `/login` requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow.\n\nThis advisory is the same class of incomplete fix as [GHSA-2299-ghjr-6vjp](https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp) (TOTP recovery codes) and [GHSA-w73w-g5xw-rwhf](https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf) (MFA recovery in authData-only login). Those previous fixes added optimistic locking only for array-typed authData fields; SMS MFA stores the OTP as a string, so the guard skipped it.\n\n### Patches\n\nThe optimistic lock has been generalized to cover primitive (string, number, boolean) and array authData fields. The lock is implemented as a shared helper `applyAuthDataOptimisticLock` that adds equality predicates on the original values of changed fields to the update WHERE clause. Concurrent writers racing the same single-use token now miss the WHERE condition and surface as `Invalid auth data`.\n\n### Workarounds\n\n- Disable SMS MFA and use TOTP instead (TOTP tokens are time-window validated, not stored single-use).\n- Place a rate limiter on the `/login` endpoint to reduce concurrent-request burst capacity.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10448\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10449", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01113", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01107", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43930" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10448", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10448" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10449", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10449" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:27:09Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43930" }, { "reference_url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj", "reference_id": "GHSA-jpq4-7fmq-q5fj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jpq4-7fmq-q5fj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114675?format=api", "purl": "pkg:npm/parse-server@9.9.0-alpha.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.9.0-alpha.2" } ], "aliases": [ "CVE-2026-43930", "GHSA-jpq4-7fmq-q5fj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsgf-t1ga-x7eq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89912?format=api", "vulnerability_id": "VCID-kar5-6zet-aqad", "summary": "Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`\n### Impact\n\nThe `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent `GET /sessions` and `GET /sessions/:objectId` endpoints correctly strip protected fields.\n\n### Patches\n\nThe `GET /sessions/me` handler now re-fetches the session with the caller's auth context after validating the session token, ensuring `protectedFields` and CLP apply consistently with other session endpoints.\n\n### Workarounds\n\nNone.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08547", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08499", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08568", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08551", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39381" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10406", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10406" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10407", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10407" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:23:25Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381" }, { "reference_url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64", "reference_id": "GHSA-g4v2-qx3q-4p64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4v2-qx3q-4p64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111177?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.7" } ], "aliases": [ "CVE-2026-39381", "GHSA-g4v2-qx3q-4p64" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kar5-6zet-aqad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91140?format=api", "vulnerability_id": "VCID-kpnd-nb3e-2ufx", "summary": "Parse Server exposes auth data via verify password endpoint\n### Impact\n\nThe verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection.\n\n### Patches\n\nThe verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22248", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22261", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24694", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24751", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34215" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a1d4e7b12a12f16d3870dbee582a36765858e94c" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10278", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/10278" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10279", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/pull/10279" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10323", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10323" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10324", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10324" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:23:36Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34215" }, { "reference_url": "https://github.com/advisories/GHSA-wp76-gg32-8258", "reference_id": "GHSA-wp76-gg32-8258", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wp76-gg32-8258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113158?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.7" } ], "aliases": [ "CVE-2026-34215", "GHSA-wp76-gg32-8258" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kpnd-nb3e-2ufx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50848?format=api", "vulnerability_id": "VCID-m9r5-g4pw-q7cx", "summary": "Parse Server's MFA recovery codes not consumed after use\nWhen multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts.\n\nAn attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33631", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33666", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.337", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33686", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31875" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.33" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875", "reference_id": "CVE-2026-31875", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31875" }, { "reference_url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hf6-3x24-c9m8" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8", "reference_id": "GHSA-4hf6-3x24-c9m8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74753?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7" } ], "aliases": [ "CVE-2026-31875", "GHSA-4hf6-3x24-c9m8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m9r5-g4pw-q7cx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91275?format=api", "vulnerability_id": "VCID-mpu4-c9v9-wbdd", "summary": "Parse Server has a SQL injection via query field name when using PostgreSQL\n### Impact\n\nAn attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level.\n\nThis vulnerability only affects Parse Server deployments using PostgreSQL.\n\n### Patches\n\nThe fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13699", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13577", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13662", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13703", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32234" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.36" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:52:08Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32234" }, { "reference_url": "https://github.com/advisories/GHSA-c442-97qw-j6c6", "reference_id": "GHSA-c442-97qw-j6c6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c442-97qw-j6c6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113356?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.10" } ], "aliases": [ "CVE-2026-32234", "GHSA-c442-97qw-j6c6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mpu4-c9v9-wbdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90863?format=api", "vulnerability_id": "VCID-n19y-uwm6-3udp", "summary": "Parse Server's GraphQL WebSocket endpoint bypasses security middleware\n### Impact\n\nAny Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.\n\n### Patches\n\nThe unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types.\n\n### Workarounds\n\nBlock WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24725", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24782", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.2484", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24851", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32594" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/21330d146c68b57a930a58b8a8cd9fbf09436cf3" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server/commit/3ffba757bfc836bd034e1369f4f64304e110e375" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10189", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10189" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10190", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10190" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:57:29Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2x3-8689-cwpg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32594" }, { "reference_url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg", "reference_id": "GHSA-p2x3-8689-cwpg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2x3-8689-cwpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112747?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.14" } ], "aliases": [ "CVE-2026-32594", "GHSA-p2x3-8689-cwpg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n19y-uwm6-3udp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89106?format=api", "vulnerability_id": "VCID-n8kv-67nw-xbaw", "summary": "Parse Server has a session field immutability bypass via falsy-value guard\n### Impact\n\nAn authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.\n\n### Patches\n\nThe truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.\n\n### Workarounds\n\nThere is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10737", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10713", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12519", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12601", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34574" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10347", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10347" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10348", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10348" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T17:57:17Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574" }, { "reference_url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22", "reference_id": "GHSA-f6j3-w9v3-cq22", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6j3-w9v3-cq22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110137?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.14" } ], "aliases": [ "CVE-2026-34574", "GHSA-f6j3-w9v3-cq22" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n8kv-67nw-xbaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50868?format=api", "vulnerability_id": "VCID-nqnd-8hx6-5bh4", "summary": "Parse Server vulnerable to user enumeration via email verification endpoint\nThe email verification endpoint (`/verificationEmailRequest`) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application.\n\nThis is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (`verifyUserEmails: true`).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1396", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14045", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14081", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1408", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31901" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.34" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901", "reference_id": "CVE-2026-31901", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901" }, { "reference_url": "https://github.com/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w54v-hf9p-8856" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856", "reference_id": "GHSA-w54v-hf9p-8856", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74811?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8" } ], "aliases": [ "CVE-2026-31901", "GHSA-w54v-hf9p-8856" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqnd-8hx6-5bh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91617?format=api", "vulnerability_id": "VCID-p1jm-h97h-vkhv", "summary": "Parse Server has a password reset token single-use bypass via concurrent requests\n### Impact\n\nThe password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead.\n\nAll Parse Server deployments that use the password reset feature are affected.\n\n### Patches\n\nThe password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01648", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01646", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01654", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32943" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10216", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10216" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10217", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10217" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:48:42Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r3xq-68wh-gwvh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32943" }, { "reference_url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh", "reference_id": "GHSA-r3xq-68wh-gwvh", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3xq-68wh-gwvh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113929?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.28" } ], "aliases": [ "CVE-2026-32943", "GHSA-r3xq-68wh-gwvh" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1jm-h97h-vkhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89265?format=api", "vulnerability_id": "VCID-r9jq-4te8-xkfb", "summary": "Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value\n### Impact\n\nAn authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an \"array-like\" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value.\n\n### Patches\n\nThe fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators.\n\n### Workarounds\n\nThere is no known workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10737", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10713", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12519", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12601", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34595" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ffad0ec6b971ee0dd9545e1bf1fb34ddebf275c2" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10350", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10350" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10351", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10351" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T17:22:23Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34595" }, { "reference_url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2", "reference_id": "GHSA-mmg8-87c5-jrc2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmg8-87c5-jrc2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110306?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.16" } ], "aliases": [ "CVE-2026-34595", "GHSA-mmg8-87c5-jrc2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r9jq-4te8-xkfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89092?format=api", "vulnerability_id": "VCID-sd7z-5aa7-f7aw", "summary": "Parse Server has a login timing side-channel reveals user existence\n### Impact\n\nThe login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames.\n\n### Patches\n\nA dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle.\n\n### Workarounds\n\nConfigure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08988", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08939", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08985", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09005", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39321" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10398", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10398" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10399", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10399" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T18:44:58Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mmpq-5hcv-hf2v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39321" }, { "reference_url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v", "reference_id": "GHSA-mmpq-5hcv-hf2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmpq-5hcv-hf2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110118?format=api", "purl": "pkg:npm/parse-server@9.8.0-alpha.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.8.0-alpha.6" } ], "aliases": [ "CVE-2026-39321", "GHSA-mmpq-5hcv-hf2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sd7z-5aa7-f7aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91876?format=api", "vulnerability_id": "VCID-twrs-rk3t-f3gf", "summary": "Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries\n### Impact\n\nAn attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist.\n\nThis can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage.\n\n### Patches\n\nThe fix strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers.\n\nNote that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future.\n\n### Workarounds\n\nConfigure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02825", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02841", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02894", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02886", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32728" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10191", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10191" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10192", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10192" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:03:38Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32728" }, { "reference_url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72", "reference_id": "GHSA-42ph-pf9q-cr72", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-42ph-pf9q-cr72" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114360?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.15" } ], "aliases": [ "CVE-2026-32728", "GHSA-42ph-pf9q-cr72" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-twrs-rk3t-f3gf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90937?format=api", "vulnerability_id": "VCID-v5t3-r3mz-13gc", "summary": "Parse Server's Session Update endpoint allows overwriting server-generated session fields\n### Impact\n\nAn authenticated user can overwrite server-generated session fields such as `expiresAt` and `createdWith` when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent.\n\n### Patches\n\nThe fix blocks authenticated users from setting `expiresAt` and `createdWith` fields when updating a session. Master key and maintenance key operations are not affected.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02655", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02585", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02601", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02652", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33527" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10263", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10263" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10264", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10264" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:36:32Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527" }, { "reference_url": "https://github.com/advisories/GHSA-jc39-686j-wp6q", "reference_id": "GHSA-jc39-686j-wp6q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc39-686j-wp6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112903?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.48" } ], "aliases": [ "CVE-2026-33527", "GHSA-jc39-686j-wp6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v5t3-r3mz-13gc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90067?format=api", "vulnerability_id": "VCID-w48t-hex5-qkcs", "summary": "Parser Server's streaming file download bypasses afterFind file trigger authorization\n### Impact\n\nFile downloads via HTTP Range requests bypass the `afterFind(Parse.File)` trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by `afterFind` trigger authorization logic or built-in validators such as `requireUser`.\n\n### Patches\n\nThe streaming file download path now executes the `afterFind(Parse.File)` trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests.\n\n### Workarounds\n\nUse `beforeFind(Parse.File)` instead of `afterFind(Parse.File)` for file access authorization. The `beforeFind` trigger runs on all download paths including streaming.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03909", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03937", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03624", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03611", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34784" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/053109b3ee71815bc39ed84116c108ff9edbf337" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/a0b0c69fc44f87f80d793d257344e7dcbf676e22" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10361", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10361" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10362", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10362" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:31Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-hpm8-9qx6-jvwv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34784" }, { "reference_url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv", "reference_id": "GHSA-hpm8-9qx6-jvwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hpm8-9qx6-jvwv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111314?format=api", "purl": "pkg:npm/parse-server@9.7.1-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.1-alpha.1" } ], "aliases": [ "CVE-2026-34784", "GHSA-hpm8-9qx6-jvwv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w48t-hex5-qkcs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50909?format=api", "vulnerability_id": "VCID-wh63-a1pu-c3g2", "summary": "Parse Server: Account takeover via operator injection in authentication data identifier\nAn unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27386", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27246", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27296", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27336", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32248" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.38" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248", "reference_id": "CVE-2026-32248", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32248" }, { "reference_url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fw2-8jcv-xh87" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87", "reference_id": "GHSA-5fw2-8jcv-xh87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-13T16:17:01Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5fw2-8jcv-xh87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74865?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.12" } ], "aliases": [ "CVE-2026-32248", "GHSA-5fw2-8jcv-xh87" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wh63-a1pu-c3g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90890?format=api", "vulnerability_id": "VCID-ww53-ctcz-r7bp", "summary": "Parse Server crash via deeply nested query condition operators\n### Impact\n\nAn unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.\n\n### Patches\n\nA depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05612", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05558", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05599", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05597", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32944" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10202", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10202" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10203", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10203" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:56:21Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944" }, { "reference_url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v", "reference_id": "GHSA-9xp9-j92r-p88v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xp9-j92r-p88v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112784?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.21" } ], "aliases": [ "CVE-2026-32944", "GHSA-9xp9-j92r-p88v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ww53-ctcz-r7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91753?format=api", "vulnerability_id": "VCID-xpuh-u9nt-m7dt", "summary": "Parse Server has a protected field change detection oracle via LiveQuery watch parameter\n### Impact\n\nAn attacker can subscribe to LiveQuery with a `watch` parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value.\n\n### Patches\n\nThe `watch` parameter is now validated against protected fields at subscription time, mirroring the existing validation for the `where` clause. Subscriptions that include protected fields in `watch` are rejected with a permission error. Master key connections are exempt.\n\n### Workarounds\n\nNone.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03033", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03092", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03051", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03102", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33429" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/0c0a0a5a37ca821d2553119f2cb3be35322eda4b" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/c62eacaf38de86913f09240583448360b1cc8e67" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10253", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10253" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10254", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10254" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:33:05Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33429" }, { "reference_url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm", "reference_id": "GHSA-qpc3-fg4j-8hgm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpc3-fg4j-8hgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114087?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.43" } ], "aliases": [ "CVE-2026-33429", "GHSA-qpc3-fg4j-8hgm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpuh-u9nt-m7dt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91682?format=api", "vulnerability_id": "VCID-y8w7-v5cd-a3en", "summary": "Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint\n### Impact\n\nThe OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request.\n\nDeployments using the OAuth2 adapter with `appidField` and `appIds` configured are affected.\n\n### Patches\n\nThe fix corrects the parameter alignment in the OAuth2 adapter's app ID validation method to match the expected interface, ensuring the correct access token is sent to the introspection endpoint.\n\n### Workarounds\n\nThere is no known workaround.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2\n- Fix in Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13\n- Fix in Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.39", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32269", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04778", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04718", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04756", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04768", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32269" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.39" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.13" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:11:12Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-69xg-f649-w5g2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32269" }, { "reference_url": "https://github.com/advisories/GHSA-69xg-f649-w5g2", "reference_id": "GHSA-69xg-f649-w5g2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-69xg-f649-w5g2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113967?format=api", "purl": "pkg:npm/parse-server@9.6.0-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.13" } ], "aliases": [ "CVE-2026-32269", "GHSA-69xg-f649-w5g2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y8w7-v5cd-a3en" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91083?format=api", "vulnerability_id": "VCID-ze79-p1vg-47fx", "summary": "parse-server has GraphQL complexity validator exponential fragment traversal DoS\n### Impact\n\nThe GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options.\n\n### Patches\n\nThe fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded.\n\n### Workarounds\n\nDisable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default).\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04954", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0494", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05247", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05287", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34573" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295" }, { "reference_url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10344", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10344" }, { "reference_url": "https://github.com/parse-community/parse-server/pull/10345", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/pull/10345" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:19Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573" }, { "reference_url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c", "reference_id": "GHSA-mfj6-6p54-m98c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mfj6-6p54-m98c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113106?format=api", "purl": "pkg:npm/parse-server@9.7.0-alpha.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-w48t-hex5-qkcs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.7.0-alpha.12" } ], "aliases": [ "CVE-2026-34573", "GHSA-mfj6-6p54-m98c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ze79-p1vg-47fx" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50850?format=api", "vulnerability_id": "VCID-qupn-1ytd-tkae", "summary": "Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction\nThe LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (`authData.id`) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group.\n\nThe vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37183", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37222", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37254", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31828" }, { "reference_url": "https://github.com/parse-community/parse-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parse-community/parse-server" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26" }, { "reference_url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828", "reference_id": "CVE-2026-31828", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31828" }, { "reference_url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7m6r-fhh7-r47c" }, { "reference_url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c", "reference_id": "GHSA-7m6r-fhh7-r47c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/" } ], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74763?format=api", "purl": "pkg:npm/parse-server@8.6.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@8.6.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/74762?format=api", "purl": "pkg:npm/parse-server@9.5.2-alpha.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j65-rdzh-6bc3" }, { "vulnerability": "VCID-3pbu-nwcc-hydn" }, { "vulnerability": "VCID-51jb-xry5-5qc2" }, { "vulnerability": "VCID-5j87-2q5c-cqdf" }, { "vulnerability": "VCID-5tkj-suz2-hyf2" }, { "vulnerability": "VCID-5tn5-f5x6-afbh" }, { "vulnerability": "VCID-6bmy-ymay-zfdm" }, { "vulnerability": "VCID-7spb-rcbx-w7gn" }, { "vulnerability": "VCID-82fj-6jd2-hqc1" }, { "vulnerability": "VCID-8zde-nj53-ebhu" }, { "vulnerability": "VCID-9kyv-xmvr-nfgf" }, { "vulnerability": "VCID-agc3-jfsf-kbhh" }, { "vulnerability": "VCID-c1nt-b6by-m7hu" }, { "vulnerability": "VCID-crd1-u2dd-6yh2" }, { "vulnerability": "VCID-cuaf-2g3g-tuap" }, { "vulnerability": "VCID-cuct-x9ub-1bd9" }, { "vulnerability": "VCID-davb-xyy3-2qf1" }, { "vulnerability": "VCID-eh2m-7t9f-tqdm" }, { "vulnerability": "VCID-f6mm-th5w-fug4" }, { "vulnerability": "VCID-faws-rh1j-tba1" }, { "vulnerability": "VCID-fnb8-edpu-e3e3" }, { "vulnerability": "VCID-g9mj-kud1-d7a3" }, { "vulnerability": "VCID-gzbr-zm1b-nkfc" }, { "vulnerability": "VCID-h8hu-n8dv-ybhy" }, { "vulnerability": "VCID-h8ut-tkq6-r7e2" }, { "vulnerability": "VCID-j6q8-5bxf-7fcf" }, { "vulnerability": "VCID-j9vu-d52s-ekgq" }, { "vulnerability": "VCID-jsgf-t1ga-x7eq" }, { "vulnerability": "VCID-kar5-6zet-aqad" }, { "vulnerability": "VCID-kpnd-nb3e-2ufx" }, { "vulnerability": "VCID-m9r5-g4pw-q7cx" }, { "vulnerability": "VCID-mpu4-c9v9-wbdd" }, { "vulnerability": "VCID-n19y-uwm6-3udp" }, { "vulnerability": "VCID-n8kv-67nw-xbaw" }, { "vulnerability": "VCID-nqnd-8hx6-5bh4" }, { "vulnerability": "VCID-p1jm-h97h-vkhv" }, { "vulnerability": "VCID-r9jq-4te8-xkfb" }, { "vulnerability": "VCID-sd7z-5aa7-f7aw" }, { "vulnerability": "VCID-twrs-rk3t-f3gf" }, { "vulnerability": "VCID-v5t3-r3mz-13gc" }, { "vulnerability": "VCID-w48t-hex5-qkcs" }, { "vulnerability": "VCID-wh63-a1pu-c3g2" }, { "vulnerability": "VCID-ww53-ctcz-r7bp" }, { "vulnerability": "VCID-xpuh-u9nt-m7dt" }, { "vulnerability": "VCID-y8w7-v5cd-a3en" }, { "vulnerability": "VCID-ze79-p1vg-47fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13" } ], "aliases": [ "CVE-2026-31828", "GHSA-7m6r-fhh7-r47c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qupn-1ytd-tkae" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13" }