{"url":"http://public2.vulnerablecode.io/api/packages/961347?format=json","purl":"pkg:npm/parse-server@9.0.0-alpha.3","type":"npm","namespace":"","name":"parse-server","version":"9.0.0-alpha.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.9.0-alpha.2","latest_non_vulnerable_version":"9.9.1-alpha.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71253?format=json","vulnerability_id":"VCID-262h-v1yd-tfc9","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31856","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13399","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13424","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13419","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13311","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31856"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.29","reference_id":"8.6.29","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.29"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3","reference_id":"9.6.0-alpha.3","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31856","reference_id":"CVE-2026-31856","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31856"},{"reference_url":"https://github.com/advisories/GHSA-q3vj-96h2-gwvg","reference_id":"GHSA-q3vj-96h2-gwvg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3vj-96h2-gwvg"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg","reference_id":"GHSA-q3vj-96h2-gwvg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:11:18Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40678?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.3"}],"aliases":["CVE-2026-31856","GHSA-q3vj-96h2-gwvg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-262h-v1yd-tfc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66602?format=json","vulnerability_id":"VCID-2syy-yyte-nug4","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30965","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25397","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25411","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25394","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25196","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30965"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.21","reference_id":"8.6.21","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.21"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8","reference_id":"9.5.2-alpha.8","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30965","reference_id":"CVE-2026-30965","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30965"},{"reference_url":"https://github.com/advisories/GHSA-6r2j-cxgf-495f","reference_id":"GHSA-6r2j-cxgf-495f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6r2j-cxgf-495f"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f","reference_id":"GHSA-6r2j-cxgf-495f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:27:33Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40651?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.8"}],"aliases":["CVE-2026-30965","GHSA-6r2j-cxgf-495f"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2syy-yyte-nug4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66328?format=json","vulnerability_id":"VCID-383v-s4c7-6bfu","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30939","reference_id":"","reference_type":"","scores":[{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39846","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39857","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39833","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39663","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30939"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.13","reference_id":"8.6.13","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.13"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2","reference_id":"9.5.1-alpha.2","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30939","reference_id":"CVE-2026-30939","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30939"},{"reference_url":"https://github.com/advisories/GHSA-5j86-7r7m-p8h6","reference_id":"GHSA-5j86-7r7m-p8h6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5j86-7r7m-p8h6"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6","reference_id":"GHSA-5j86-7r7m-p8h6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:39Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5j86-7r7m-p8h6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40426?format=json","purl":"pkg:npm/parse-server@9.5.1-alpha.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.2"}],"aliases":["CVE-2026-30939","GHSA-5j86-7r7m-p8h6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-383v-s4c7-6bfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66471?format=json","vulnerability_id":"VCID-8cct-wkqq-nqdm","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30938","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.21145","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.21126","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.2095","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30938"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.12","reference_id":"8.6.12","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.12"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1","reference_id":"9.5.1-alpha.1","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30938","reference_id":"CVE-2026-30938","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30938"},{"reference_url":"https://github.com/advisories/GHSA-q342-9w2p-57fp","reference_id":"GHSA-q342-9w2p-57fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q342-9w2p-57fp"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp","reference_id":"GHSA-q342-9w2p-57fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:56:19Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40422?format=json","purl":"pkg:npm/parse-server@9.5.1-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.1-alpha.1"}],"aliases":["CVE-2026-30938","GHSA-q342-9w2p-57fp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8cct-wkqq-nqdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66590?format=json","vulnerability_id":"VCID-bzw6-4m1j-6fe2","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30925","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06064","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06076","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06084","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06061","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30925"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.11","reference_id":"8.6.11","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.11"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14","reference_id":"9.5.0-alpha.14","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30925","reference_id":"CVE-2026-30925","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30925"},{"reference_url":"https://github.com/advisories/GHSA-mf3j-86qx-cq5j","reference_id":"GHSA-mf3j-86qx-cq5j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mf3j-86qx-cq5j"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j","reference_id":"GHSA-mf3j-86qx-cq5j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:08:58Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40420?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.14"}],"aliases":["CVE-2026-30925","GHSA-mf3j-86qx-cq5j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw6-4m1j-6fe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66514?format=json","vulnerability_id":"VCID-caj3-ujpk-hba5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30972","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.1966","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19686","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19664","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.1949","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30972"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.23","reference_id":"8.6.23","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.23"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10","reference_id":"9.5.2-alpha.10","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30972","reference_id":"CVE-2026-30972","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30972"},{"reference_url":"https://github.com/advisories/GHSA-775h-3xrc-c228","reference_id":"GHSA-775h-3xrc-c228","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-775h-3xrc-c228"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228","reference_id":"GHSA-775h-3xrc-c228","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:44Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40658?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.10"}],"aliases":["CVE-2026-30972","GHSA-775h-3xrc-c228"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-caj3-ujpk-hba5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71310?format=json","vulnerability_id":"VCID-fdqv-3n6r-2fgb","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31868","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20188","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20212","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20191","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20019","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31868"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.30","reference_id":"8.6.30","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.30"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4","reference_id":"9.6.0-alpha.4","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31868","reference_id":"CVE-2026-31868","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31868"},{"reference_url":"https://github.com/advisories/GHSA-v5hf-f4c3-m5rv","reference_id":"GHSA-v5hf-f4c3-m5rv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v5hf-f4c3-m5rv"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv","reference_id":"GHSA-v5hf-f4c3-m5rv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:10:45Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40686?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.4"}],"aliases":["CVE-2026-31868","GHSA-v5hf-f4c3-m5rv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqv-3n6r-2fgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71319?format=json","vulnerability_id":"VCID-gjus-pwzw-qufs","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31828","reference_id":"","reference_type":"","scores":[{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37245","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37433","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37423","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37447","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31828"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.26","reference_id":"8.6.26","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.26"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13","reference_id":"9.5.2-alpha.13","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31828","reference_id":"CVE-2026-31828","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31828"},{"reference_url":"https://github.com/advisories/GHSA-7m6r-fhh7-r47c","reference_id":"GHSA-7m6r-fhh7-r47c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7m6r-fhh7-r47c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c","reference_id":"GHSA-7m6r-fhh7-r47c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:51:50Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40664?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.13"}],"aliases":["CVE-2026-31828","GHSA-7m6r-fhh7-r47c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gjus-pwzw-qufs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71291?format=json","vulnerability_id":"VCID-jh6w-1y2k-27de","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31800","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28361","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.2837","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28346","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.2815","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31800"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.25","reference_id":"8.6.25","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.25"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12","reference_id":"9.5.2-alpha.12","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.12"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31800","reference_id":"CVE-2026-31800","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31800"},{"reference_url":"https://github.com/advisories/GHSA-7xg7-rqf6-pw6c","reference_id":"GHSA-7xg7-rqf6-pw6c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7xg7-rqf6-pw6c"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c","reference_id":"GHSA-7xg7-rqf6-pw6c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:42Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-7xg7-rqf6-pw6c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40661?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.12"}],"aliases":["CVE-2026-31800","GHSA-7xg7-rqf6-pw6c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jh6w-1y2k-27de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66452?format=json","vulnerability_id":"VCID-pkkz-wwqa-1ufw","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30966","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20328","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20305","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20308","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20132","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30966"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.20","reference_id":"8.6.20","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.20"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7","reference_id":"9.5.2-alpha.7","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30966","reference_id":"CVE-2026-30966","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30966"},{"reference_url":"https://github.com/advisories/GHSA-5f92-jrq3-28rc","reference_id":"GHSA-5f92-jrq3-28rc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5f92-jrq3-28rc"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc","reference_id":"GHSA-5f92-jrq3-28rc","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-11T14:31:08Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-5f92-jrq3-28rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40654?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.7"}],"aliases":["CVE-2026-30966","GHSA-5f92-jrq3-28rc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pkkz-wwqa-1ufw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71476?format=json","vulnerability_id":"VCID-qybe-rg1s-6kau","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.31.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31871","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13399","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13424","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13419","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13311","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31871"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.31","reference_id":"8.6.31","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.31"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5","reference_id":"9.6.0-alpha.5","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31871","reference_id":"CVE-2026-31871","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31871"},{"reference_url":"https://github.com/advisories/GHSA-gqpp-xgvh-9h7h","reference_id":"GHSA-gqpp-xgvh-9h7h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqpp-xgvh-9h7h"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h","reference_id":"GHSA-gqpp-xgvh-9h7h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:09:48Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-gqpp-xgvh-9h7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40689?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.5"}],"aliases":["CVE-2026-31871","GHSA-gqpp-xgvh-9h7h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qybe-rg1s-6kau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66426?format=json","vulnerability_id":"VCID-rbax-edn6-d3aw","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30850","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06191","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06161","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06172","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0618","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30850"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30850","reference_id":"CVE-2026-30850","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30850"},{"reference_url":"https://github.com/advisories/GHSA-hwx8-q9cg-mqmc","reference_id":"GHSA-hwx8-q9cg-mqmc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hwx8-q9cg-mqmc"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc","reference_id":"GHSA-hwx8-q9cg-mqmc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:46Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hwx8-q9cg-mqmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40402?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-14sg-981y-pbdx"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.9"}],"aliases":["CVE-2026-30850","GHSA-hwx8-q9cg-mqmc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rbax-edn6-d3aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71429?format=json","vulnerability_id":"VCID-rr98-m4bd-dqhf","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31901","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14167","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14192","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14195","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14077","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31901"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.34","reference_id":"8.6.34","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.34"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8","reference_id":"9.6.0-alpha.8","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31901","reference_id":"CVE-2026-31901","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31901"},{"reference_url":"https://github.com/advisories/GHSA-w54v-hf9p-8856","reference_id":"GHSA-w54v-hf9p-8856","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w54v-hf9p-8856"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856","reference_id":"GHSA-w54v-hf9p-8856","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:01:34Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40694?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.8"}],"aliases":["CVE-2026-31901","GHSA-w54v-hf9p-8856"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rr98-m4bd-dqhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66316?format=json","vulnerability_id":"VCID-ryzc-v8ju-zbcd","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30863","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10493","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10523","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10547","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30863"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30863","reference_id":"CVE-2026-30863","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30863"},{"reference_url":"https://github.com/advisories/GHSA-x6fw-778m-wr9v","reference_id":"GHSA-x6fw-778m-wr9v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x6fw-778m-wr9v"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v","reference_id":"GHSA-x6fw-778m-wr9v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-09T16:43:47Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-x6fw-778m-wr9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40406?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.11"}],"aliases":["CVE-2026-30863","GHSA-x6fw-778m-wr9v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ryzc-v8ju-zbcd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66600?format=json","vulnerability_id":"VCID-u6cq-nd7b-vucm","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30848","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06485","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06454","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06473","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06466","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30848"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30848","reference_id":"CVE-2026-30848","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30848"},{"reference_url":"https://github.com/advisories/GHSA-hm3f-q6rw-m6wh","reference_id":"GHSA-hm3f-q6rw-m6wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm3f-q6rw-m6wh"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh","reference_id":"GHSA-hm3f-q6rw-m6wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:38:49Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-hm3f-q6rw-m6wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40397?format=json","purl":"pkg:npm/parse-server@9.5.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-14sg-981y-pbdx"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-22pk-5s6t-ufaw"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-2syy-yyte-nug4"},{"vulnerability":"VCID-2t98-yfws-zfgn"},{"vulnerability":"VCID-383v-s4c7-6bfu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-8cct-wkqq-nqdm"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-brgs-d2uu-a7bt"},{"vulnerability":"VCID-bzw6-4m1j-6fe2"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dmkx-64cw-67ae"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-pkkz-wwqa-1ufw"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rbax-edn6-d3aw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-ryzc-v8ju-zbcd"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-smga-c628-mucb"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-wtbe-kc8y-77dk"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-yup6-6p9f-n7bu"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.0-alpha.8"}],"aliases":["CVE-2026-30848","GHSA-hm3f-q6rw-m6wh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u6cq-nd7b-vucm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71323?format=json","vulnerability_id":"VCID-w175-44z9-c3h5","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vulnerability is fixed in 9.6.0-alpha.7 and 8.6.33.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31875","reference_id":"","reference_type":"","scores":[{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33864","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33889","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33867","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33687","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31875"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.33","reference_id":"8.6.33","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.33"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7","reference_id":"9.6.0-alpha.7","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31875","reference_id":"CVE-2026-31875","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31875"},{"reference_url":"https://github.com/advisories/GHSA-4hf6-3x24-c9m8","reference_id":"GHSA-4hf6-3x24-c9m8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hf6-3x24-c9m8"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8","reference_id":"GHSA-4hf6-3x24-c9m8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:06:08Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-4hf6-3x24-c9m8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40692?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.7"}],"aliases":["CVE-2026-31875","GHSA-4hf6-3x24-c9m8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w175-44z9-c3h5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66569?format=json","vulnerability_id":"VCID-wtbe-kc8y-77dk","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30967","reference_id":"","reference_type":"","scores":[{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31865","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31848","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.3166","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30967"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.22","reference_id":"8.6.22","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.22"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9","reference_id":"9.5.2-alpha.9","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30967","reference_id":"CVE-2026-30967","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30967"},{"reference_url":"https://github.com/advisories/GHSA-fr88-w35c-r596","reference_id":"GHSA-fr88-w35c-r596","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fr88-w35c-r596"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596","reference_id":"GHSA-fr88-w35c-r596","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:24:03Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-fr88-w35c-r596"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40655?format=json","purl":"pkg:npm/parse-server@9.5.2-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-262h-v1yd-tfc9"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2qbc-paq8-2fgn"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-caj3-ujpk-hba5"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-fdqv-3n6r-2fgb"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gjus-pwzw-qufs"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-jh6w-1y2k-27de"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-qybe-rg1s-6kau"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-xrz4-1vpd-2qeg"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.5.2-alpha.9"}],"aliases":["CVE-2026-30967","GHSA-fr88-w35c-r596"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wtbe-kc8y-77dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71277?format=json","vulnerability_id":"VCID-xrz4-1vpd-2qeg","summary":"Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31872","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15691","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15723","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15709","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1557","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31872"},{"reference_url":"https://github.com/parse-community/parse-server","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parse-community/parse-server"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/8.6.32","reference_id":"8.6.32","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/8.6.32"},{"reference_url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6","reference_id":"9.6.0-alpha.6","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31872","reference_id":"CVE-2026-31872","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31872"},{"reference_url":"https://github.com/advisories/GHSA-r2m8-pxm9-9c4g","reference_id":"GHSA-r2m8-pxm9-9c4g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2m8-pxm9-9c4g"},{"reference_url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g","reference_id":"GHSA-r2m8-pxm9-9c4g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:09:09Z/"}],"url":"https://github.com/parse-community/parse-server/security/advisories/GHSA-r2m8-pxm9-9c4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40691?format=json","purl":"pkg:npm/parse-server@9.6.0-alpha.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13fb-z2vs-83hu"},{"vulnerability":"VCID-14fp-bjdd-uffh"},{"vulnerability":"VCID-1y9a-gb1j-ufdu"},{"vulnerability":"VCID-2fzy-ajnc-fbf9"},{"vulnerability":"VCID-2rxm-qxur-9ygu"},{"vulnerability":"VCID-49m3-j488-yqes"},{"vulnerability":"VCID-53r7-9knw-u7bd"},{"vulnerability":"VCID-5bbt-8378-17d1"},{"vulnerability":"VCID-7jbf-hw56-9bcx"},{"vulnerability":"VCID-bpp2-r2wr-vkf6"},{"vulnerability":"VCID-ca2c-skt8-mqau"},{"vulnerability":"VCID-cbrh-vg1p-3ua7"},{"vulnerability":"VCID-dhkw-d15h-rkb5"},{"vulnerability":"VCID-dyd6-6yy1-hyhn"},{"vulnerability":"VCID-e7pg-sdu5-mkhh"},{"vulnerability":"VCID-e84c-36en-wqaa"},{"vulnerability":"VCID-ee1t-31wz-ufbw"},{"vulnerability":"VCID-evdb-d9ew-pbfq"},{"vulnerability":"VCID-g9b7-r5ry-mybm"},{"vulnerability":"VCID-gngn-8vy6-bkg7"},{"vulnerability":"VCID-hbms-u2mt-jyhn"},{"vulnerability":"VCID-hh7p-ae88-z3fs"},{"vulnerability":"VCID-hs5q-jk5r-7ya8"},{"vulnerability":"VCID-j3ba-adds-muay"},{"vulnerability":"VCID-j6sw-ak9p-nyhc"},{"vulnerability":"VCID-mdgb-p4u1-uud5"},{"vulnerability":"VCID-mm7p-maf1-eyhq"},{"vulnerability":"VCID-mxgt-92ep-73fj"},{"vulnerability":"VCID-n4s7-6vvk-skfz"},{"vulnerability":"VCID-n5mt-eebx-zbcf"},{"vulnerability":"VCID-nqev-h9w8-pudy"},{"vulnerability":"VCID-nt51-v9gk-w3e8"},{"vulnerability":"VCID-q59u-ywkn-wbfw"},{"vulnerability":"VCID-rr98-m4bd-dqhf"},{"vulnerability":"VCID-s2mj-yppn-ckaa"},{"vulnerability":"VCID-tuts-aegs-r7e7"},{"vulnerability":"VCID-vmwk-3myb-u7ds"},{"vulnerability":"VCID-w175-44z9-c3h5"},{"vulnerability":"VCID-wqxc-qnu8-q7d7"},{"vulnerability":"VCID-zrvb-y7f6-ykby"},{"vulnerability":"VCID-zx4t-zth8-7fe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.6.0-alpha.6"}],"aliases":["CVE-2026-31872","GHSA-r2m8-pxm9-9c4g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz4-1vpd-2qeg"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/parse-server@9.0.0-alpha.3"}